Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for December of 2011
Showing posts in English
Joji Hamada | 29 Dec 2011 10:15:41 GMT

Recently, we discovered malware in the wild in the form of document files, such as PDF and Word, using password protection. The malware are used as attachments in email in limited, targeted attacks.

Passwords for document files are commonly used to prevent unauthorized access to the files by encrypting them with passwords. However, attackers are misusing the password feature to encrypt files, most likely to make it difficult for security products to detect them as malware. It also makes reverse-engineering the files difficult because they need to be decrypted before analysis can be performed.

These malware themselves aren’t anything special. They are no different to the common attachments used in typical targeted attacks except for the fact that they require passwords to be opened. Various office suite software includes a password encryption feature, so document files are not the only...

Kazumasa Itabashi | 23 Dec 2011 11:40:41 GMT

Adobe Systems released a security update for Adobe Acrobat and Reader 9.x for Windows on December 16, 2011, in order to fix a zero-day vulnerability. As Vikram Thakur reported recently, there have been zero-day attacks using this PDF vulnerability, dropping Backdoor.Sykipot on to the compromised computer.

We have found another variant of PDF malware in the wild using the same vulnerability. This version of PDF malware uses an encryption method that is found natively in the PDF specifications. As I wrote in my Portable Document Format Malware whitepaper, the encryption method used by PDF...

Mathew Maniyara | 20 Dec 2011 02:17:51 GMT

Co-Author: Avdhoot Patil

Symantec is familiar with phishing sites which promote fake offers for mobile airtime. In December, 2011, the phishing sites which utilized these fake offers as bait have returned. The phishing sites were hosted with free web hosting.

When end users enter the phishing site, they receive a pop up message stating they can obtain a free recharge of Rs. 100:

Upon closing the pop up message, users would arrive at a phishing page which spoofs the Facebook login page. The contents of the page would be altered to make it look as though the social networking site was giving away free mobile airtime. A list of 12 popular mobile phone services from India would be displayed with their brand logos. Once the page completes...

Irfan Asrar | 19 Dec 2011 18:30:30 GMT

Hacktisivm, or as one blogger put it “Revolution 2.0”, is something I would describe as an activist agenda where there may be no visible monetary gain by the instigator. Instead the overall goal is to send a message or get a point across. Even though, on occasion, the message may be something many will sympathize with, this doesn’t mean it’s a victimless crime. In many cases, the cost of getting an agenda across may involve using resources (even people without consent).  An example of this emerged over the past weekend. For many across the Arab world, December 18, 2010, marked the birth of what is now come to be commonly known as “The Arab Spring”. Among the many online tools that are being used to coordinate, inform, and get the word out about protests, Symantec has discovered a Trojan mass-mailer/downloader embedded in an Android App.

The Trojan was...

Robert Keith | 13 Dec 2011 20:31:11 GMT

Hello, welcome to this month’s blog on the Microsoft patch release. This is an average month—the vendor is releasing 13 bulletins covering a total of 19 vulnerabilities.

Three of this month's issues are rated ‘Critical’ and they affect Media Player, Microsoft Time ActiveX control, and the public issue regarding TrueType fonts (currently being exploited by Duqu malware). The remaining issues affect Windows, the kernel, Internet Explorer, Active Directory, Word, Excel, PowerPoint, Active Directory, Publisher, and Office.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter...
Symantec Security Response | 13 Dec 2011 13:07:51 GMT

Thanks to Masaki Suenaga and Andy Xies for their analysis.

Following the tweet from our @threatintel Twitter account last night about malicious applications targeting users in European countries, Symantec Security Response has identified another group of fraudulent apps on the Android market, but this time under a different publisher ID. From our analysis the 11 newly discovered apps are published under the name “Miriada Production” and are identical to the apps published under the name “Logastrod”. These apps are capitalizing on popular game titles, and masquerade as these games, but in fact they just sends two texts to premium-rate, local SMS numbers in the country where the SIM card is registered. The app also prevents notifications from being displayed if the incoming text is from certain numbers.

Once notified of these apps by Symantec, Google...

Symantec Security Response | 12 Dec 2011 14:59:01 GMT

Authored by Tony Millington and Gavin O’Gorman

The intercepted email in this blog was provided by

The Nitro Attacks whitepaper, published by Symantec Security Response, was a snapshot of a hacking group’s activity spanning July 2011 to September 2011.  The same group is still active, still targeting chemical companies, and still using the same social engineering modus operandi. That is, they are sending targets a password-protected archive, through email, which contains a malicious executable. The executable is a variant of Poison IVY and the email topic is some form of upgrade to popular software, or a security update. The most recent email (Figure 1) brazenly claims to be from Symantec...

Vikram Thakur | 08 Dec 2011 19:16:45 GMT

Thanks to Stephen Doherty, Andrea Lelli, Nicolas Falliere, Paul Mangan, Asuka Yamamoto, and Sean Kiernan for their technical contributions.

Recently, we posted two blogs about attacks leveraging the latest Adobe vulnerability. These attacks are part of a long-running series of attacks using the Sykipot family of malware. Sykipot has been used in targeted attacks for at least the past couple of years, and unconfirmed traces date back to as early as 2006. The latest wave spiked on December 1, 2011 with a huge uptick of targeted entities being sent a PDF containing a zero-day exploit against Adobe Reader and Acrobat (CVE-2011-2462).

Symantec classifies the set of Trojans used by these attackers as ‘Sykipot’ and includes detection names such as...

Peter Coogan | 08 Dec 2011 11:31:04 GMT

As underhanded as it is, there are people out there who want to spy on other people’s smartphone activity. However anyone looking to invade the privacy of a smartphone user may just as likely find themselves becoming a victim of fraud. SMS Privato Spy is a product that is marketed as allowing you to view the phone screen live, activate and listen on the microphone, view call logs, and perform GPS tracking at all times.  Sounds impressive, and all for a price tag of $50-125 depending on the package chosen.

If you are still not sold on the product they even provide a video on the site showing an interview on with a company called the Federal Forensics Group reviewing what is supposedly SMS Privato Spy.

The thing is there is no such product as SMS Privato Spy. The interview on with...

Stephen Doherty | 07 Dec 2011 16:36:31 GMT

Adobe has issued a public advisory regarding a critical vulnerability (CVE-2011-2462) that affects:

  • Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh
  • Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh
  • Adobe Reader 9.4.6 and earlier
  • 9.x versions for UNIX

This critical vulnerability has recently been seen exploited in the wild in targeted attack emails sent on November 1st and 5th. This attack leverages the zero-day vulnerability in order to infect target computers with Backdoor.Sykipot.

We have seen Backdoor.Sykipot used in targeted attacks since January,...