Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Security Response

Showing posts for November of 2011
Showing posts in English
Mathew Maniyara | 30 Nov 2011 18:07:31 GMT

Co-Author: Avdhoot Patil

Symantec is familiar with baits commonly used in Chinese phishing sites. A grand prize, for instance, is often used as phishing bait. This November, 2011, phishers continue with the same strategy by including a brand new iPad 2 for a prize. The phishing sites were hosted on a free webhosting site.

The phishing page spoofs the Chinese version of a social networking gaming application. What is most interesting about the phishing page is that it displays a warning for an incorrect password (in red) even before any user credentials are entered. The phishing site announces to users that all fields are required to be filled before proceeding to the lucky draw. Users are prompted to enter their email address, password, email password, and birth date. The phishing site then states the winning email addresses will be drawn and winners would receive an iPad 2 and...

Emily Liu | 28 Nov 2011 19:27:40 GMT

Article contributed by Emily Liu, Symantec Security Response Technician

Most of the Russian spam emails we usually encounter are about online advertising, product promotion, and training workshops. These spam emails typically are sent out unsolicited from free or hijacked personal email accounts, without opt-out, and have randomized subjects to avoid being caught in spam filters. Despite the use of random subjects, we continue to observe spammers who like to list phone numbers in the email as the only available means of contact instead of direct URL links.

Here is an example of a recent Russian event promotion spam:

Here is the English translation:

Figure 1. Russian-language spam promotion...

Andrea Lelli | 28 Nov 2011 16:23:32 GMT

Recently, Symantec observed a modified variant of Zeusbot/Spyeye which uses peer-to-peer (P2P) architecture to communicate. The original Zeusbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.)

To overcome these limitations the attackers have now decided to use...

Joji Hamada | 23 Nov 2011 04:28:05 GMT

A type of fraud involving adult related content, called “one-click fraud”, has been targeting computer users in Japan for a while now. Typically, the fraud involves users attempting to access content on websites, which are usually pornography-related. When a user attempts to access this content-- in most cases the content is a movie--malware is downloaded and executed on the compromised computer along with the actual movie. The malware then continuously displays pop-up windows with lewd pictures asking for payment to register to the website. Since the pop-up windows will not go away, many users end up paying for the service in the hope that the pop-ups will disappear, although they may not actually disappear. Users who share the computer with their friends and families are more likely to make the payment as they would rather keep their potentially embarrassing surfing habits a secret. Some time ago I wrote...

Sammy Chu | 22 Nov 2011 00:17:22 GMT

How does Symantec know it's the week of Thanksgiving? Because as the busiest travel day of the year day quickly approaches, the day just before Thanksgiving , there is a surge in fake email ticket confirmations that lead to viruses.

Here is what a fake airline message looks like:

If you inspect the HTML coding for this message carefully, you will notice a malicious link in the anchor tag:

This link redirects to a known malware-hosting site in Russia which previously hosted Trojan.Maljava. Trojan.Maljava is a detection name used by Symantec to identify malicious Java files that...

Mathew Maniyara | 12 Nov 2011 00:21:01 GMT

Co-Author: Avdhoot Patil

When phishing through social media, fake applications are a key technique used by phishers to introduce new kinds of baits. In October, 2011, phishers launched a new fake application named "Maldivian App". The phishing site was hosted on a free webhosting domain. It should be noted the legitimate site does not provide such an application.

Phishers put in more creative thought and time than usual in designing this phishing page. The phishing site contained an image with details about the application and included a form for Web users to enter login credentials. The image presents a ribbon in the tricolors of the Maldivian flag accentuated with the logo of a social networking brand and a Maldivian flag T-shirt. A prominent description of the application boasts that, after logging in, users would receive "cool news" about the Maldives.

For those interested in learning more about Maldives, wouldn’t it be...

Samir_Patil | 10 Nov 2011 17:04:30 GMT

Sporting events are always popular among the spammers. Formula 1, a game of speed, thrill, and action, is no exception. In the past we have seen spam messages ranging from cheap and/or fake game tickets to phishing  around almost all major sporting events.

We are observing spam targeting the upcoming F1 Grand Prix which is being held November 11-13, 2011 in Abu Dhabi. Although the winner of the 2011 World Championship has already been decided by the last few races, this event is import because it is near the end of the 2011 season and the drivers will be scoring vital points to retain their positions.

Here is an example spam message:

The spam message invites users to attend the race in Abu Dhabi, UAE. Spammers offer a private table, champagne, canapé reception, open bar at the venue, and many more luxurious items. The attractive deal with “limited availability for...

khaley | 10 Nov 2011 11:32:13 GMT

Here’s a money making idea: find some advertisers and tell them you can put their ads on billboards at half the going rate. You don't own any billboards? No problem, just go paste the ads over the ones on someone else's billboards.

This idea has not really caught on in the real world—it's impractical to run around town, climbing up poles, and plastering ads on someone else's billboard. You’re also limited to the billboards you can physically reach. Plus it's illegal.

The Internet is another story. There are no physical limitations, no climbing, and some people don't have an issue with doing illegal things, especially when they don't think they'll get caught. The good news is they do get caught, but we'll come back to that.

So what is the equivalent of a billboard on the Internet? A website. Getting people to visit a website and view ads on it is big business. This attracts cyber criminals who try to figure...

Robert Keith | 08 Nov 2011 22:48:11 GMT

Hello, welcome to this month’s blog on the Microsoft patch release. This is a small month—the vendor is releasing four bulletins covering a total of four vulnerabilities.

Only one of this month's issues is rated ‘Critical’ and it affects the Windows TCP/IP stack. It potentially can be exploited to completely compromise an affected computer. The remaining issues affect Active Directory, Windows Mail, and Windows kernel-mode drivers.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s...

Symantec Security Response | 06 Nov 2011 14:57:38 GMT

In late September 2011, it was reported that a previously unknown and un-patched vulnerability in Hancom Office (a word processing software predominantly used in Korea) was exploited in the wild. We often hear of new exploits targeting software used worldwide and while these incidents tend to grab all the attention, we also encounter instances of regional software, which often have a limited user base becoming an exploit target. One example of a similar regional software that was also exploited in malware attacks is Ichitaro - a word processing software mostly used in government organizations and their associates in Japan. 

In this case, we managed to track down a couple of malware samples that exploited the reported vulnerability in the Hancom products. The samples are in document files (file extension .hwp) and an exploit attempt is made when the document is opened on a machine installed...