Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for September of 2011
Showing posts in English
Samir_Patil | 27 Sep 2011 15:41:19 GMT

The holiday season is about to commence and spammers have resurfaced with new offers well in advance. We have already observed spam for Christmas and New Year in the month of September, not to mention spam for Halloween, which is fast approaching!

So, what’s on the spammers’ holiday menu?  Well, there are virus e-cards, bogus meds, some interesting Internet gift offers with crazy discounts, and loans to help you celebrate a spammy whammy Christmas and to welcome the New Year! And don’t despair, because for Halloween you have the much coveted replica products! The list is definitely going to extend as the season comes closer. Discussed in detail below is the spammers’ vacation bonanza.

Here are some of the various spam subject lines being used for the upcoming holiday season:

Subject: Re: Happy new year!!!!
Subject: You have received a Christmas Greeting Card!
Subject: Rolex For You Now -85%
Subject: With...

Samir_Patil | 23 Sep 2011 21:39:48 GMT

Thanks to Shravan Shashikant and the Norton Confidential Online team for providing the data, and to Christopher Mendes for compiling it.

Does phish taste better than spam? Yes, perhaps it does. Allow me to explain.

The recent past has been one of the most volatile financial periods in history. World economies have reached a very critical stage—sovereign debt crises, bailouts, loan defaulters causing banks to shiver, sales shrinkages causing trade surplus, and bankruptcies. Add to all of this the fears of a double-dip economic recession theory making the rounds and it looks like a really dreadful picture.

But how does this affect the consumer from the point of view of email security? The consumer is the fulcrum point, the hinge of the story! All these negatives hits consumer spending in a very big way. The first wave of recession had definitely dented consumer confidence, and with the “Double Dip” theory lurking on the horizon it...

Samir_Patil | 19 Sep 2011 20:20:39 GMT

Thanks to Anand Muralidharan for contributing to this blog.

Recently there was a serious bomb blast outside the high court in Delhi, the capital of India. The blast happened on September 7, 2011, and the investigations are continuing with the National Investigation Agency (NIA). News of this terrifying event is being used by spammers to promote fake pharmaceutical products. In the past we’ve seen Mumbai terror attack news used by spammers for advertising pills—we blogged about it in Spammers Attempting to Cash in on Mumbai Terror.

Below are some spam subject samples:

Subject: Delhi explosion
Subject: Bombing at Delhi court kills 10

The domains that are included with these latest spam messages lead users to fake online pharmacies. Using domain names...

Joji Hamada | 19 Sep 2011 11:07:17 GMT

W32.Morto first made headlines in August because of its capability to spread by Windows Remote Desktop Protocol (RDP). The worm was unique because it was the first of its kind to use the protocol.  However, this wasn't the only unique aspect of the worm. My colleague, Cathal Mullaney, also discovered that W32.Morto introduced the usage of Domain Name System (DNS) records for communicating commands from the attacker to the worm.  We have been monitoring W32.Morto and the commands it has been receiving from the DNS queries since its discovery; however, the downloaded files have not performed any meaningful activities during the three week period.

But now we are finally seeing a change in the updates. This latest update contains the same traits of the original W32.Morto such as storing...

Nicolas Falliere | 14 Sep 2011 05:24:59 GMT

(Note: This blog was written on September 2. We decided to postpone publishing it due to an ongoing joint effort to shut down servers and block domain names. The variant studied is not the latest but accurately reflects the functionalities of the threat.)

Trojan.Bamital appeared in the summer of 2010. The threat really became prevalent at the beginning of 2011, shortly after the discovery of the B variant. Bamital hooks into various browsers in order to modify search results and redirect the user to advertisement links. In this blog, we’re going to dissect a recent variant of Bamital to understand how the click-fraud scheme is implemented.

Installation

Bamital comes as a UPX-packed executable. When executed, it drops two components to the %CommonFiles% folder...

Joji Hamada | 13 Sep 2011 21:06:35 GMT

Thanks to Takayoshi Nakayama for his research and contributions to this blog.

Targeted attacks have been a pretty popular topic of discussion in the security industry in recent years. Many may recall the incident involving Hydraq—from January 2010—and Shady RAT was something discussed more recently.

Most targeted attacks involve emails with malware attachments as the trigger point of the attack. Once a computer is infected with the malware, an attacker can compromise not only the computer, but can also work to expose the infrastructure of the targeted organization and the sensitive data it possesses.

In the early stages of the targeted attacks involving emails that I started seeing around 2005, attachments included files such as Word documents, Excel spreadsheets, PowerPoint...

Robert Keith | 13 Sep 2011 20:02:22 GMT

Hello and welcome to this month’s blog regarding the Microsoft patch release. This is a smaller month in terms of patches—the vendor has released five bulletins covering a total of 15 vulnerabilities.

This month, all of the issues are rated “Important” and they affect Windows, Office, Excel, and SharePoint. Of note this month are the Office and Excel issues, which can be exploited to execute arbitrary code if a user opens a specially malformed file.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of...

Samir_Patil | 09 Sep 2011 21:50:48 GMT

Thanks to Vivek Krishnamurthi for contributing to this blog.

Every sensitive event is an opportunity to exploit. With this motive in the background, it is not surprising to see spammers exploit 9/11.  With the 10th anniversary of the tragedy just a day away, spammers want to make the best use of this emotionally charged environment. 

Here are two examples of scams that Symantec has noticed in recent days that attempt to exploit the emotional scars left by 9/11:
 
First email example exploiting 9/11
Figure 1: First email example exploiting 9/11
 
 
Second email example exploiting 9/11
Figure 2: Second email example exploiting 9/11
 
The first sample tries to entice...
Livian Ge | 09 Sep 2011 10:19:42 GMT

There are more and more known viruses that infect the MBR (Master Boot Record). Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them is the notorious CIH appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR.

The threat will drop a driver to %system%\drivers\bios.sys, then stop the beep service and replace %system%\beep.sys with the dropped one. After that it restarts beep service to load the dropped driver. 

bios.sys is used to interact with BIOS such as get BIOS info, flash and backup...

khaley | 08 Sep 2011 07:40:44 GMT

Ten years later, it is tempting to say that the September 11th terrorist attacks against the U.S. changed everything. It is indisputable that it changed many things, and without a doubt it changed how we think about security, how we deploy security, and what we spend on security.

But, we have not seen a significant impact on cyber security. The events of 9/11 drove a deep concern with physical security, but in 2001 no one saw a physical threat originate from a computer. That said, in the last ten years, we have seen a significant evolution in the Internet security threat landscape.
 

  Major Threats Fame
2001 Code Red
Nimda
...