Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for January of 2012
Showing posts in English
Mayur Kulkarni | 01 Feb 2012 01:13:10 GMT

Nothing can be more enticing than to be chosen for some free goodies—be it mementos, a cash prize, or a ticket to watch a game. It gets even more interesting if you are from a cricket crazy continent and suddenly, out of the blue, you receive an email saying that you are “the chosen one”!

What would you do? At first thought you would pounce on the opportunity, like a jungle tiger does its prey. But hang on a second! What you might be thinking is an opportunity of a lifetime, sadly, is just the opposite. Let me put it bluntly: if you have received such an email, you are "the chosen prey”. And if you decide to reply to it, then you could be in for some big trouble!

Millions of people get scammed every day with such fantastic offers. The sad part of the story is that many get plundered in this game. Scammers put in a lot of planning before sending out such emails. Upcoming events are focused upon, strategies are formalized, and...

Symantec Security Response | 30 Jan 2012 23:45:40 GMT

Last week, we posted a blog informing Android users of the discovery of new versions of Android.Tonclank, which we have named Android.Counterclank. The blog generated a bit of discussion over whether these new versions should be a concern to Android users. When classifying applications, our focus is on whether users want to be informed of the application's behavior, allowing them to make a more informed choice regarding whether to install it.

The situation we find ourselves in is similar to when Adware, Spyware, and Potentially Unwanted Applications first made appearances on Windows. Many security vendors did not initially detect these applications, but eventually, and with the universal approval of computer users, security companies chose to notify users of these types of applications...

Sammy Chu | 30 Jan 2012 20:08:01 GMT

Malware is often embedded in email as compressed attachments (such as .zip, .rar, etc.). Recently, however, Symantec has noticed an increase in malicious email attacks with .htm (HTML) attachments.

Here is what the message looks like in your inbox:

The attack contains a .htm attachment and obfuscated JavaScript is embedded in the coding of the file. The purpose of the JavaScript is to redirect your internet browser to a malware-hosting site in Russia which contains Trojan.Pidief and Trojan.Swifi.

Malicious JavaScript, when injected into an HTML file, can:

  • Exploit browser and plugin vulnerabilities to run arbitrary code
  • Display fake antivirus scans and other fraudulent...
Shunichi Imano | 27 Jan 2012 13:06:53 GMT

Symantec Security Response is aware of in-the-wild malware exploiting the Microsoft Windows Media Player 'winmm.dll' MIDI File Parsing Remote Buffer Overflow Vulnerability (BID 51292). Microsoft has already issued a patch against this vulnerability in the monthly patch release this January. Applying the patch is strongly recommended.

There are several components involved in this live attack:

  • a.exe
  • baby.mid
  • i.js
  • mp.html

Symantec products detect mp.html and i.js as Trojan.Malscript. The vulnerable baby.mid file is detected as Trojan Horse and the end-result file, a.exe, is...

Irfan Asrar | 27 Jan 2012 12:49:19 GMT

Symantec has identified multiple publisher IDs on the Android Market that are being used to push out Android.Counterclank. This is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device.

For each of these malicious applications, the malicious code has been grafted on to the main application in a package called “apperhand”. When the package is executed, a service with the same name may be seen running on a compromised device. Another sign of an infection is the presence of the Search icon above on the home screen.

The combined download figures of all the malicious apps indicate that Android....

Mathew Maniyara | 27 Jan 2012 00:13:11 GMT

Co-Author: Avdhoot Patil

Phishers often choose baits with the motive of reaching out to a large number of end users. In December, 2011, phishers’ choice of bait were songs from the Indian movie "Bodyguard" (starring Salman Khan and Kareena Kapoor). Due to the popularity of the soundtrack, phishers anticipated a large target audience which could improve their chances of harvesting user credentials. This particular phishing site was hosted on a free web hosting site.

The phishing site targeted Facebook and it played a music video from the movie in the bottom left corner of the phishing page. The main content of the phishing page promoted songs as custom graphical "skins" for social networking profiles. The phishing page then encouraged users to enter their social network login credentials, stating that after logging in they could listen to popular songs and enjoy several features. The phishing site also boasted news of being the...

Symantec Security Response | 26 Jan 2012 12:33:00 GMT

The Sykipot campaign has been persistent in the past few months targeting various industries, the majority of which belong to the defense industry. Each campaign is marked with a unique identifier comprised of a few letters followed by a date hard-coded within the Sykipot Trojan itself. In some cases the keyword preceding the numbers is the sub-domain's folder name on the Web server being used. Here are some examples of the campaigns we have seen so far:

  • alt20111215
  • auto20110413
  • auto20110420
  • be20111010
  • chk20111219
  • chksrv20111122
  • easy20110720w
  • easy20110926n
  • good20110627
  • help20110908
  • help20110926
  • info20111025
  • info20111028
  • info20111031G
  • insight20111122
  • pretty20111101
  • pretty20111122
  • pub2011124x
  • server20111212
  • webmail20111122
  • ...
Samir_Patil | 25 Jan 2012 12:22:00 GMT

Spam levels always rise when a holiday or special event approaches. Symantec researchers are observing a surge of spam as Valentine’s Day gets closer and closer. Unbelievable discounts on jewelry, dinners, and expensive gift articles are the key themes for the Valentine’s Day related spam. Further popular fake promotions include: online pharmaceuticals, fake e-cards, gift cards, chocolates, and flowers. The purpose of these fake promotions is to capture a user’s personal and financial details.

Valentine’s Day related spam can easily be spotted by observing the “From” header as shown below:

  • From: "Valentine's Berries" <info@
  • From: "Valentine's Bouquets" <info@
  • From: "Valentine's Gifts" <info@
  • From: "Valentine's Presents" <info@
  • From: "...
Fred Gutierrez | 24 Jan 2012 19:11:40 GMT

Contributor: Masaki Suenaga

We certainly are! It is American football season and the Super Bowl is right around the corner. Apparently, so are the malware authors. It would not be the first time they took advantage of this sporting event. Back in 2007, the Dolphins (hosts for Super Bowl XLI) had their website compromised by links to malicious JavaScript. Several visitors looking up Super Bowl information on this site were hit with an exploit pack designed to attack their Web browsers and install hidden malware. Taking a page out of their playbook, Android malware authors this season bring us a fake version of the popular gaming franchise, Madden NFL 12. Being over 5 MB in size, it certainly looks like a game worth trying! Once installed, it will even display the following icon:

After the user launches the app, there is, unfortunately, no...

Sean Butler | 24 Jan 2012 02:38:43 GMT

Recently, I came across a scam email that is trying to take advantage of the hype surrounding the yet-to-be-released iPad 3. The release date of the iPad 3 is still unknown but spammers are already jumping on the bandwagon in the hope of scamming people who will be eager to get their hands on one of these devices.

The scammers introduce themselves as Mark Zuckerberg, the CEO of Facebook. The email then states how Facebook have joined up with Apple for a one time promotion – to give away an iPad 3 at no cost. This is, of course, all false information but the scam attempts to entice potential victims by stating how they have been randomly selected from a Facebook database. It is possible that a user could potentially be deceived by this ruse if they receive this email to the email address they have used to register with Facebook.

The user is then asked to click on a link and fill out a survey. The goal of the scammers here is to obtain personal information from...