Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for March of 2012
Showing posts in English
Satnam Narang | 28 Mar 2012 18:23:08 GMT

In recent years, scammers have flocked towards social networking sites as they have grown and made it easier to access a large number of potential eyeballs to convert into dollars. Brands have found value in leveraging social media to know what their customers are talking about, so, naturally, scammers are doing the exact same thing.

Free iPads and iPhones

Every time Apple unveils a new iPad or iPhone, you can bet there are scammers out there trying to leverage the announcement for financial gain. In the days leading up to and after the announcement of the new third-generation iPad, Twitter users who tweet about the new tablet most likely will receive some targeted Twitter replies from scammers offering the new device for free:

Many of the links are often masked behind URL shortening services. These links actually...

Irfan Asrar | 28 Mar 2012 02:31:21 GMT

It was only a few weeks ago that concerns were raised about the lack of restrictions on photo access on the Android platform. That is, no permissions were required to read an image file, which could lead to privacy leaks from unwitting users installing apps with malicious intent. It seems that a new variant of Android.Oneclickfraud identified in the wild proves that these concerns should not be underestimated.

As previously described, this type of fraud is an extortion scam that uses pornography to lure users into downloading a smart phone app. Once installed, the app harvests personal information and then opens a Web page. This page displays a fake registration, containing the harvested personal...

Mario Ballano | 27 Mar 2012 22:14:23 GMT

There has been a lot of confusion over the last hours after an application named “МТС Мобильная Почта” was automatically added to the My Apps section of some Samsung devices as an apparent application upgrade. However, these devices have never installed this application. Some users thought this was a bug within Google’s upgrading mechanism, but it appears Google is not responsible for these unintended updates.

When Android was first released, Symantec attempted multiple upgrade scenarios to determine what fields were mandatory for an upgrade to occur and to test if rogue publishers could replace existing applications. Applications developed for the Android platform are required to declare a unique identifier, known as the package name. We determined that along with this unique identifier three other items are required before an application can be updated through...

Symantec Security Response | 27 Mar 2012 12:09:20 GMT

The Taidoor family of Trojans are at the centre of a lengthy and sustained malware campaign that’s been active for several years.  The approach used by the Taidoor attackers is the standard textbook email-based targeted attack method. When Taidoor attacks first began in 2008, the main targets were government agencies.  Over time, the focus of the attacks broadened to include a significant interest in the media, financial, telecom and manufacturing sectors too. From the recent data available to Symantec, we can see that the interest of the Taidoor attackers has shifted to “think tank” type organizations who have become the intended recipients for the vast majority of the targeted emails sent since 2011.

The attackers generally used document based vulnerabilities sent through email as attachments to compromise their intended targets. The most common...

Nick Johnston | 23 Mar 2012 11:56:08 GMT

Fake antivirus software or "scareware" is nothing new, but these applications continue to get more sophisticated. We recently discovered a relatively new fake antivirus application called Windows Risk Minimizer.

The fake antivirus software was promoted through spam sent from a popular webmail service. This is slightly unusual as normally fake antivirus infections arrive through drive-by exploits. Spam messages promoting the fake antivirus software contained links to compromised domains, which then redirected users to the fake antivirus site. We witnessed over 300 compromised domains being used in just a few hours.

When opening the fake antivirus site, the user is greeted with a JavaScript alert message, whereby the fake antivirus (referred to here as "Windows Secure Kit 2012") claims that your machine is infected.

When OK is clicked, a fake scan...

Symantec Security Response | 20 Mar 2012 23:04:42 GMT

We recently received a file that looked very familiar. A quick investigation showed it to be a new version of W32.Duqu. The file we received is only one component of the Duqu threat however—it is the loader file used to load the rest of the threat when the computer restarts (the rest of the threat is stored encrypted on disk). The component we received has been highlighted below (Driver file .sys) in an image taken from our Duqu whitepaper:

As you can see, the component we received is only one small part of the overall attack code and we continue to monitor for related components and new versions.

The compile...

Eric Park | 20 Mar 2012 18:41:34 GMT

During the past two weeks, Symantec has observed an increase in hit & run spam activities (also known as snowshoe spam) in its Global Intelligence Network. Hit & run spam messages have the following characteristics:

  • Usually originates from IP ranges with neutral reputation
  • Uses a large IP range to dilute the amount of spam sent from each IP address
  • Contains features (such as Subject line, From line, and URLs) which change quickly
  • URL is the call-to-action
  • Often uses large quantity of “throw-away” domains in a single spam campaign

Here is a breakdown of top three products or services promoted by such spam over last week:


#1Spam Promo

Mathew Maniyara | 19 Mar 2012 18:58:25 GMT

Co-Author: Avdhoot Patil

Phishing sites with adult content are not uncommon. Phishers have often used adult content as bait in fake social networking applications. In March 2012, a phishing site spoofing a gaming brand claimed to have an adult webcam application. The phishing site was hosted on a free web hosting site and the phishing page was in Italian.

A fake offer was given on the phishing site and an adult webcam image was placed below it. According to the fake offer, the gaming brand had prepared a list of users who were willing to perform nude webcam shows for a small price, even free. The phishing site further claimed that by entering login credentials one could receive through email the names of the users willing to perform and be able to add them to their contact list. The phishing site explained that login credentials were required because the brand decided could not disclose the names of performers outside the network to maintain privacy. To gain...

Symantec Security Response | 16 Mar 2012 15:14:44 GMT

A warning against a critical vulnerability in the Remote Desktop Protocol (RDP) was posted by Microsoft on Tuesday, March 13. A patch to close this security hole was released on the same day as part of the regular MS Patch Tuesday release: Microsoft Remote Desktop Protocol CVE-2012-0002 Remote Code Execution Vulnerability (BID 52353).

As RDP listens on a TCP port, this vulnerability can be triggered remotely and could lead to code execution. Hackers are eager to develop an exploit. Security Response can confirm that a Proof of Concept (PoC) resulting in a denial-of-service condition for MS12-020 has been published. Symantec has released IPS signature 25610 (Attack: Microsoft RDP CVE-2012-0002 3) to block attempts to...

Symantec Security Response | 15 Mar 2012 19:17:10 GMT

Trojan.Hydraq is a piece of malware that we first saw in early 2010. It was a threat that got a lot of media attention—especially since the targets it chose were very high profile organizations. It's been a couple of years since we mentioned it so we thought we'd provide an update on its activity since then.
Contrary to commonly held thought, Hydraq never went away. Month after month we've observed the attackers using the threat relentlessly on organizations across all sorts of different market sectors. The vector of infection isn't different from most other targeted attacks—well tailored email sent to specific recipients with a link to an exploit hosting website; exploitation leads to download and execution of the Trojan; the Trojan gathers system information and exfiltrates to a remote server; a remote server is contacted every so often to see if...