Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for October of 2011
Showing posts in English
Samir_Patil | 31 Oct 2011 19:04:30 GMT

Contributor: Anand Muralidharan

Recently, the death of Libyan leader Muammar Gaddafi triggered a malware attack which Symantec previously blogged about. We have observed spammers' continued delight with this news event through the sending of malicious attack and 419 spam messages.

In the spam targeting residents of Brazil, a video showing Gaddafi asking for mercy and containing disturbing images also carries malware. By clicking the link provided in the email, users actually download a malicious executable file. Symantec has identifed this threat as Trojan.Ransomlock!gen4.


The email...

Shunichi Imano | 28 Oct 2011 01:58:02 GMT

Recently, a new threat called Android.Fakeneflic has taken advantage of gaps in the availability of a legitimate video streaming service in order to target mobile users in North America. Here is another example of social engineering at work; however, this time the users that are being targeted are in Eastern Europe.

Premium SMS dialers have always been a problem on the mobile threat landscape, especially in Eastern Europe, where dialers showed up on mobiles phones not too long after the introduction of the micro edition of the Java Virtual Machine (JVM) for mobile devices. It should therefore come as no surprise that the authors responsible for leveraging this lucrative revenue source appear to be making a switch to newer platforms. Here is the latest example of a...

Nishant Doshi | 27 Oct 2011 19:00:17 GMT

Over the last few months we have been trying to look deeper into how Web-based malware gets distributed. A lot has been written about the underground economy and how one can buy exploit kits, such as Blackhole, from underground websites. But once the attacker has bought the exploit kit, how do they infect computers? This blog focuses on a distribution channel that makes use of Traffic Distribution Systems or TDS for short.

How does a TDS work? In a nutshell a TDS vendor buys and sells Web traffic. While this is a very old concept, it has become really popular for exploit delivery over the last few years.

Let’s say you own a website and you want to make money from it. One way you could do that is by having various interesting and contextual links on your page. When a visitor clicks one of these links, the click is redirected to a TDS vendor. Essentially you are selling the click on your website to this TDS vendor, who in turn sells this click or traffic to the...

Nishant Doshi | 27 Oct 2011 11:06:12 GMT

In the last few months we have seen a variety of spam campaigns propagating on social networking websites. Most of these attacks use some flavor of social engineering tactics. Every now and then, we see some innovative social engineering techniques used by attackers. Here is one such technique that tricks the victim into revealing their all-important Facebook Anti-CSRF token.

Cross-site Request Forgery attacks
A Cross-site Request Forgery (CSRF) is a type of attack in which attackers can re-use an already authenticated session to a website to perform unwanted actions on that website without the user’s knowledge or consent. For example, let’s say that a user is logged into his or her banking website. If this bank’s website suffers from a CSRF weakness, then another malicious website (say, can instruct the user’s browser to navigate to...

Karthikeyan Kasiviswanathan | 26 Oct 2011 18:01:04 GMT

In recent days, we have seen blogs about a specific type of Mass Injection campaign. We take this opportunity to publish our findings in this blog.

This particular campaign has already picked up pace and it is infecting a lot of innocent users out there. It all starts with a script that is injected into certain sites. The script itself points to one particular site: “http://[REMOVED]/urchin.js”. Throughout this blog, we will see the different exploits that this particular campaign uses in order to install malicious files on to a compromised computer.

Upon visiting a site with the injected script, the user is redirected to a malicious site. A subsequent redirection takes the user to a site that contains an obfuscated script. When the script is decoded, it reveals an embedded iFrame tag. Below is an example of the de-obfuscated iFrame tag embedded in the site.


Mathew Maniyara | 25 Oct 2011 21:55:06 GMT

Co-author: Avdhoot Patil

Celebrity promotion has gained momentum in the world of phishing. In October 2011, we observed Indonesian rock star Ahmad Dhani was being used as phishing bait and phishers continue their stream of celebrity bait with popular singers Selena Gomez and Demi Lovato. Celebrities with a large fan following are phishers’ favorites (because they believe a larger audience will mean more duped users).

In today's example, phishers created phishing sites that spoofed the login pages of a popular information services website. The phishing pages contained a picture of the singer and the page altered to give the impression that users could gain access to additional content about the celebrity after entering their own login credentials. It should be noted good websites will never alter the format of their login page for celebrity promotions. After the...

Stephen Doherty | 24 Oct 2011 02:05:39 GMT

Threat Analysis: Alan Neville

As word spreads of the death of Muammar Gadhafi, cybercriminals are starting to take advantage. We are already seeing spam campaigns related to his death with malicious attachments. Here are a couple of examples of what we have seen so far.

This particular campaign claims that Muammar Gadahfi’s death may not be true. The attachment is a malicious help file that contains Backdoor.Misdat as the payload.

Another example follows, but the attachment was corrupt. Thus, an unsuspecting user would not, in fact, have infected their computer if they had attempted to open the attached archive.

We expect to see many more of these emails over the next few days, typically with...

Eric Chien | 21 Oct 2011 23:00:30 GMT

I wrote Symantec's original blog post describing the discovery of Duqu. In that blog I use the term "industrial control system manufacturers" and (after discussions with a variety of parties) we want to change that term to "industrial industry manufacturers" to more accurately define where Duqu has been found. We already made this change to our paper.

Finding the correct term can sometimes be a challenge. When we first wrote about Stuxnet, we originally used the term SCADA (supervisory control and data acquisition) and quickly discovered the proper term was "industrial control systems". In the computer security industry, we actually have specific definitions of viruses, worms, and trojans, while the general public often refer to any malware as just a virus. (In an unrelated...

Symantec Security Response | 21 Oct 2011 16:56:58 GMT

As mentioned in our previous blog, W32.Duqu was first brought to our attention by a research lab who had been investigating a targeted attack on another organization. This research was conducted by the Laboratory of Cryptography and System Security (CrySyS) in the Department of Telecommunications, Budapest University of Technology and Economics. CrySyS identified the infection and observed its similarity to W32.Stuxnet. They stated that no data was leaked as part of this attack.

We are grateful to CrySyS—sharing their findings allowed us to identify further attacks taking place. We have now determined that the originally targeted organization was one of a limited number of targets which include those in the industrial infrastructure industry. CrySyS has issued a statement regarding their analysis here:

The latest...

Mathew Maniyara | 19 Oct 2011 00:10:04 GMT

Thanks to the co-author of this blog, Avdhoot Patil.

In the month of January 2011 Symantec reported adult scams that targeted Indonesian Facebook users. These scams claimed to have an application in which users could view adult videos of Indonesian celebrities, taken from hidden cameras.

It seems that phishers are now using specific celebrities as bait for their phishing sites. This is unlike the previous Indonesian adult scams whose phishing pages gave the impression that the adult video would be of a random celebrity. In October 2011 phishers continued their adult scams on Facebook, but this time they chose the Indonesian rock star Ahmad Dhani in particular. Dhani is the frontman of the rock bands “Dewa 19” and “Ahmad Band”. The phishing site contained a photograph of Ahmad Dhani and Indonesian singer Dewi Persik. The Indonesian caption of...