Video Screencast Help
Security Response
Showing posts for February of 2012
Showing posts in English
Irfan Asrar | 27 Feb 2012 19:33:30 GMT

When you know that the goal of a piece of code is to ultimately result in monetary gain for the author, analysis becomes a lot easier; it is a matter of just putting the pieces together until you can figure out how the payload is translated into tangible value. But take away the monetary gain element and, even if you are able to find out what makes something tick in minute detail, you are never quite sure what the final intent of the author was.

However, in the case of Android.Moghava, while there appears to be no monetary gain involved, I would describe it as a juvenile stunt with slight overtones of political satire.

From our analysis of an Iranian recipe app infected with this threat (distributed from a third party and not the Android market), the malware is embedded as an additional package called Moghava. Moghava in Farsi translates as “cardboard...

Fred Gutierrez | 27 Feb 2012 16:27:12 GMT

We are currently tracking a banking Trojan called Trojan.Neloweg. Looking at early infection numbers, we noticed that a small number of users were compromised in the UK and the Netherlands.

Digging into the threat, we saw that the login credentials of these users (including banking credentials) may have been stolen.  A partial list of affected bank pages can be seen below.

In order to see where other infections were occurring, we took a more global look at the infection numbers. Apparently the threat has been localized to Europe.

Trojan.Neloweg operates similar to another banking Trojan known as...

Joji Hamada | 24 Feb 2012 19:36:14 GMT

Contributor: Yi Li

Since our discovery, the server-side polymorphic APK malware called Android.Opfake has continued to evolve, modifying the algorithm for its polymorphic functionality used to evade detection. It also continues to change the names of the applications it pretends to be and is creating countless domains to host its malicious files. Now the developers of the threat appear to be making a major upgrade. This can be seen from the permissions the malicious apps request during install. Typically, old variants used to only ask for permissions like the following:

The permission to send SMS messages was essentially all the malware needed to charge the owner of the compromised device premium SMS rates. Now, the malware wants permissions to...

Andrea Lelli | 22 Feb 2012 06:44:03 GMT

We blogged about a parallel Zeusbot/Spyeye build near the end of last year that introduced some improvements in the botnet, moving the network architecture away from a simple bot-to-C&C system and introducing the beginnings of a peer-to-peer model. This new variant new uses P2P communication exclusively in order to keep the botnet alive and gathering information.

Previously, every compromised computer was a peer in the botnet and the configuration file (containing the URL of the C&C server) was distributed from one peer to another. This way, even if the C&C server was taken down, the botnet was still able to contact other peers to receive configuration files with URLs of new C&C servers.

With the latest update, it seems that the C&C server has disappeared entirely for this functionality. Where they were previously sending and receiving control messages to and...

Jason Zhang | 22 Feb 2012 04:49:19 GMT

We keep seeing new waves of PDF file-based attacks that exploit the Adobe Acrobat and Reader CVE-2010-0188 Remote Code Execution Vulnerability (BID 38195) that exists in certain unpatched versions of a popular PDF reading application. All these attacks were stopped by Symantec’s Skeptic™ technology

A typical example of such an exploited PDF sample contains highly obfuscated JavaScript, as shown in figure 1.

Figure 1: Portion of obfuscated JavaScript

The JavaScript was embedded in an XFA object (object 8 in the above figure) in an Acrobat Form. The JavaScript manipulated a subform field by using a reference to an embedded element, “qwe123b” in the example. When such...

Sean Butler | 21 Feb 2012 16:55:45 GMT

Recently I came across an airline booking confirmation phishing email.  Whilst this is not necessarily a new phishing technique, the email and associated phishing website are quite interesting and at first glance could appear to be legitimate.  In the email, it states confirmation of payment made by credit card, and that the recipient should click an embedded link in order to print their tickets and flight information.

The email itself is in plain text and looks nothing out of the ordinary.  However, upon further investigation I noticed that the sending domain, which is spoofed, is not actually one associated with the airline.  It looks similar but the actual sending domain that is spoofed is for an air purifier and cleaner company and is not associated with the airline in any way.  This would appear to be just laziness on the part of the spammer for not checking that the...

Samir_Patil | 21 Feb 2012 15:24:14 GMT

Thanks to Poonam Keluskar for their assistance with this research.

Maslenitsa (Маслница) is a religious holiday celebrated in Russia and Ukraine during the last week before Lent, i.e. the seventh week before Pascha (Easter). This festival is also known as Pancake week or Butter week. During this week people enjoy the social activities that are forbidden during the prayerful Lenten season, such as partying, dancing etc. This year the Maslenitsa will be celebrated from February 20 to February 26.

We are observing Maslenitsa spam targeting Russian and Ukrainian users that offers attractive tour packages. Similar to other Russian spam messages like online marketing promotions, spammers have provided a phone number to book the carnival package.

Below is a sample of a tour package spam:



Samir_Patil | 17 Feb 2012 11:43:08 GMT

Thanks to Anand Muralidharan for their assistance with this research.

The world is mourning the loss of another legendary pop singer also known as the queen of pop - Whitney Houston. Spammers are paying homage to the icon with a wicked malware. The malicious email shows a video of the last appearance of the star in a Los Angeles night club and also downloads an executable binary. This file is detected by Symantec Antivirus as WS.Reputation.1.

The email originated from Ireland and targets Portuguese readers. The malicious file is hosted on a hijacked Japanese website. The email subject is randomized by adding random numbers at the end of the subject field.

Here are a few...

Robert Keith | 14 Feb 2012 19:40:31 GMT

Hello, welcome to this month’s blog on the Microsoft patch release. This is a larger month—the vendor is releasing 9 bulletins covering a total of 21 vulnerabilities.

Six of this month's issues are rated ‘Critical’ and they affect Internet Explorer, .NET, Windows, and GDI. The remaining issues affect Internet Explorer, Windows, Visio, and SharePoint.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the February releases can be found here:

Joji Hamada | 10 Feb 2012 18:48:23 GMT

We have continued monitoring the massive campaign involving SMS Fraud on the mobile platform for a while now as new activities are constantly taking place. New domains are created practically every day and new variants are being released consistently. Most activities are not really noteworthy. However, we did discuss a recent development of interest regarding the APK malware using server-side polymorphism. And earlier this week, we came across a new type of site that is not technically interesting, but is worthy of a mention in order to warn people about the new activity.

A little while back, a fake Android Market was developed that hosted various Apps that were ultimately malware. As you can see below, the page looks slightly different from the official Android Market.