Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for August of 2011
Showing posts in English
Cathal Mullaney | 31 Aug 2011 16:56:41 GMT
There has been a lot of coverage of the recent RDP capable W32.Morto worm, but one of the more interesting aspects of the worm’s behavior appears to have been overlooked. Most malware that we have seen recently has some means of communication with a remote Command and Control (C&C) server. The actual vector of communication tends to vary between threats. For example, W32.IRCBot uses Internet Relay Chat channels whereas the recent high profile threat, Trojan.Downbot, is capable of reading commands embedded in HTML pages and image files. W32.Morto has added another C&C communication vector by supplying remote commands through Domain Name System (...
khaley | 31 Aug 2011 03:12:41 GMT

Famous or infamous, when you make news, the scammers pay attention. While we have come to expect the famous and infamous to show up in malware attacks that use spam and SEO poisoning, we shouldn’t be surprised when scammers leverage the spotlight that current events shine on the infamous. As Samir Patil blogged on Monday, the Gaddafi family is showing up in 419 scams. After all, few of us know a real Nigerian prince, but most of us have heard of Gaddafi, know he is in a bit of trouble, and might have the resources to buy his way out of trouble.

I can’t predict how events in Libya will end for the Gaddafi family. But I do predict that they will become very popular not only in 419 scams, but in a variation called the inheritance con.

Like the 419/Spanish prison scam, the inheritance con goes way back. The most famous version is the Drake scam, which started shortly after the...

Samir_Patil | 29 Aug 2011 11:44:45 GMT

Scammers love to feast on human weakness.  This time they aim to exploit human ‘need and greed’ to its optimum best. Using recent news is quite common in spam. For example the Libyan uprising, with its rise and fall of Gaddafi, has left a large vacuum with money that is entrapped in the cross fire.  But logically speaking, a third-party mediator is a necessity here (scammers love to highlight that) and who else could be a better person for that role than YOU? So, act immediately! Don’t waste time; give your lucky stars a chance to shine.

We are monitoring different emails from senders alleging Gaddafi’s wife, daughter, and personal guard are moving huge amounts of money out of Libya. Here are scam samples we came across as soon as Tripoli was captured—camouflaged traps for anyone who would allow him- or herself to be ensnared by greed.

Subject: Cooperation - Please Treat Urgently!

Gavin O Gorman | 26 Aug 2011 13:57:38 GMT

W32.Xpaj.B is one of the most complex and sophisticated file infectors Symantec has encountered. In an older blog post, Piotr Krysiuk calls it an “upper crust file infector.” He describes several different approaches that the infector uses to increase the difficulty in detecting infected samples. The techniques W32.Xpaj.B uses to conceal itself within an executable are far beyond the norm. Given this level of complexity, it was decided to analyze the threat in detail.

The analysis revealed IP addresses for the command & control (C&C) servers. Infected W32.Xpaj.B executables send a download request to these C&C servers. Analysis of the threat’s backend control infrastructure...

Timothy Lee | 24 Aug 2011 07:04:08 GMT

As you sit down and open Outlook to delete yet another “Satisfy her in bed tonight!” solicitation from Angelina Jolie, do you ever wonder if every spam email on earth looks the same? It is true that certain phrases in spam seems to resurface ad nauseum in every language imaginable, such as “replica watch”, “reloj”, and “ologi”. Ultimately however, just as with customs, food, and clothing, culture and lifestyle dictates people’s behavior and affects how they use computers. Spam works very much like advertising in that it also caters to different groups based on their cultural backgrounds and local trends for maximum scamming benefits. I will highlight an example of spam specific to Asian below to demonstrate how spam from the Far East differs from the typical med and 419 scams seen elsewhere.

Keiba (horse racing) scams

Japan has one of the biggest...

Nicolas Falliere | 24 Aug 2011 03:33:41 GMT

W32.Virut is a Windows file infector that’s been around since 2006. It usually makes the top 10 in threat charts and therefore deserves regular scrutiny.

Analysis of recent variants show that changes were made to strengthen the communication protocol between the bots and the command and control server to prevent blacklisting, sinkholing, and hijacking of their command and control servers.

Virut connects to one of two IRC servers that act as the command and control servers (C&C) (note that they are currently and The IRC commands are usually encrypted and tunneled over TCP ports 80 or 443–used by HTTP and HTTPS respectively. The main commands sent by the C&C instruct bots to download and install additional malware.

Because these domains can be blacklisted or blocked, the first improvement...

Hon Lau | 23 Aug 2011 18:21:07 GMT

Technical analysis: Poul Jensen, Illustrations: Ben Nahorney

It is a given that many malicious software threats seen today will download additional software components to perform various activities. With the transition from malware for fun to profit-driven malware and the connected nature of the computer-using population, it is not unusual to see malware threats download other files onto the compromised computers. While there is much public discussion lately about advanced persistent threats (APT) that also make use of software-downloading techniques to augment their capabilities, there are also other malware threats doing the rounds that are not so concerned about industrial espionage and issues of national security. Perhaps it is because the likes of Trojan.Badlib do not necessarily target these types of high-value information that they may be considered of lesser...

Sammy Chu | 22 Aug 2011 11:12:33 GMT

In the past we have seen malicious attacks pretending to be shipment notifications from various parcel delivery services. Now the New York State DMV has become the latest “brandjacking” victim for a series of malware attacks.

Here is what the fake message looks like: is the name of the malicious attachment, and it is being identified as a variant of Trojan.FakeAV—one of the most prolific risks seen on the Internet today.  Every day, bogus antivirus and security applications are released and pushed to unsuspecting users through a variety of delivery channels. Many of these programs turn out to be clones of each other. They are often created from the same code base, but presented with a different name and look, which is achieved through the use of a "...

Mayur Kulkarni | 22 Aug 2011 10:53:03 GMT

In the past few weeks, we have observed an old spam tactic re-emerging. Spammers are again using news feed to populate the subject header of spam messages. This technique has been used in the past in the form of directory harvesting attacks to gather valid email addresses. However, these attacks usually lasted for only one or two weeks, perhaps because their goal of collecting email addresses had served its purpose. This time not only the duration longer, but they have been selective in their news agency—it is only “BBC News” at this time.

Pharmacy-related spam is employing this technique, obviously attempting to get curious readers to open up these emails.  Using different techniques, like interesting news topics in a subject line, may compel users to open a spam email. This indirectly gives spammers a chance to advertise their products and possibly sell them too. In...

khaley | 19 Aug 2011 16:30:16 GMT
In 2004, Massachusetts Senator Edward “Ted” Kennedy was refused an airline boarding pass by the Transportation Security Administration (TSA) on five different occasions. Despite being from one of the most famous families in American politics, not to mention being a U.S. Senator, he still appeared on a no-fly list designed to prevent terrorists from boarding airplanes. This was a mistake; one that took three weeks to clear up. No explanation was ever publicly given. One has to assume that there was someone else, presumably a suspected terrorist, with a similar name.
I was reminded of that incident at Black Hat, where Alessandro Acquisti from Carnegie Mellon University presented a paper called, “Faces of Facebook: Privacy in the Age of Augmented Reality” (which is also the starting point for the...