Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for April of 2012
Showing posts in English
Symantec Security Response | 30 Apr 2012 16:15:53 GMT

We've been busy in the labs reverse engineering the various components of OSX.Flashback.K to determine the true motivation behind the malware. Let's take a look at this Mac Trojan in more detail.

The Infection
It's now well-known that the latest OSX.Flashback.K variant was being distributed using the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507), which  was patched by Oracle in February. Unfortunately for Mac users, there was a large window of exposure since Apple's patch for this vulnerability was not available for six weeks.

This window of...

Peter Coogan | 26 Apr 2012 18:55:39 GMT

In a recent blog we talked about Trojan.Ransomlock.K and the use of a control panel on a command-and-control (C&C) server which gave it the ability to serve localized social engineering messages to victims depending on their IP location. While at that time we had not yet encountered a crimeware kit for this threat, we have since seen it for sale on Russian underground forums. As seen in Figure 1, below, the ransomware crimeware kit is being sold under the name of Silence Of winLocker:

Figure 1. Russian forum advertising SilenceWinLocker (Babelfish translation)

Once purchased, the author offers a package which includes a builder for the ransomware Trojan.Ransomlock...

Samir_Patil | 26 Apr 2012 06:46:31 GMT

Symantec is intercepting a resurgence of spam attacks on popular brands. Spam messages that are replicas of the Wikipedia email address confirmation alert are the new vector for the present. The said spam messages pretend to be originating from Wikipedia, and are selling meds, with the following subject line: “Subject: Wikipedia e-mail address confirmation”.

The spoofed Wikipedia page is a ploy to give legitimacy to the sale of meds online. The embedded URL in the message navigates to a fake online pharmacy site that is dressed up as a Wikipedia Web page. Furthermore, to give the email a legitimate look, the spammer has added the recipient’s IP address in the body of the spam mail. Needless to say this IP does not belong to the user.

Figure 1: Part of the spam message



khaley | 25 Apr 2012 18:19:22 GMT

It was the best of posts, it was the worst of posts. My apologies to Charles Dickens, but it seems to be the best way to describe two themes I see on Facebook wall posts these days. Let me show you some of the worst ones first:

Yes; these are scams. Posted as legitimate messaging on Facebook user’s walls by bad guys. Blaming Facebook for scams is a little like blaming Al Gore for malware on the Internet. Even if Mr. Gore did invent the Internet, he certainly didn’t invite all those malware authors to join up. I addressed the attraction of Facebook to bad guys some time ago. Here’s the short version: malware authors target people, not computers. Lots of people are on Facebook; malware authors follow.

It all seems like bad news, doesn’t it? But it’s not. Here are some of the best posts...

Irfan Asrar | 24 Apr 2012 18:18:20 GMT

When pop icon Björk, in an interview with the press, invited hackers and pirates to adapt her app from iOS to other platforms, it seems that some people who rose to the call had a hidden agenda in mind: to distribute malware. The evil twin routine, where an author creates a malicious doppelganger or pirated version of a popular app, seems to be the in vogue scam of late when it comes to malware for Android.

Last week, authors in Eastern Europe were targeting the Instagram and Angry Birds fanbase with a fake apps (detected by Symantec as Android.Opfake) which resulted in premium SMS text charges. The authors even went to the extent of creating a dummy site to make the scam appear more...

Mathew Maniyara | 23 Apr 2012 22:37:33 GMT

Phishers are constantly developing new strategies in an effort to trick end users. In April 2012, phishers created sites spoofing the Apple brand with fake offers for Apple discount cards. In this phishing attack, customers were targeted by region: namely, the UK and Australia.

The phishing sites mimicked the webpage of Apple and prompted customers for their Apple ID. The phishing page stated the customer’s long-term loyalty toward the brand gave them eligibility for an Apple discount card as a reward. Upon entering an Apple ID and clicking the “Next” button, the customer was redirected to a page that asked for more confidential information:

Here, the phisher explained that with a discount card worth 9 Australian dollars (rewarded to the customer), they can receive credit for...

Takashi Katsuki | 23 Apr 2012 21:28:51 GMT

Symantec Security Response, along with some other security vendors, reported the discovery of the OSX.Flashback malware recently patched by Apple. Many people may be surprised to learn the infection volume is reported at over 600,000 computers.

On a new front, we have recently identified new Java Applet malware, which uses the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download its payload. This attack vector is the same as the older one, but in this case the Java Applet checks which OS it is running on and downloads a suitable malware for the OS. This is explained further in the following illustration:


Peter Coogan | 20 Apr 2012 23:09:08 GMT

Ransomware is a threat that continues to grow in popularity with cybercriminals due to its success rate and monetary potential. In past blogs such as Rampant Ransomware we have discussed some different Ransomware variants and techniques. Now we have encountered yet another new variant identified as Trojan.Ransomlock.K.

While finding a new Ransomware variant is no real surprise, during analysis we found an active command-and-control (C&C) server login used by the threat.

Figure 1. Silence Locker Control Panel login

After further analysis and research we then identified a control panel...

Symantec Security Response | 17 Apr 2012 21:13:55 GMT

Today’s blog is a quick follow up to the OSX.Flashback.K issue. The statistics from our sinkhole are showing declining numbers on a daily basis. However, we had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case. Currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark.

As there have been tools released by Symantec and other vendors in the past few days concerning this threat, the infection numbers should have seen a dramatic decrease by now. If you suspect that your Mac has been infected with OSX.Flashback.K, it is recommended to install the latest patches, ensure that your antivirus is up to date with the latest signatures, and...

Joji Hamada | 16 Apr 2012 07:36:33 GMT

Over the past week or so, there has been an ongoing discussion on the Internet about some Android applications that looked suspicious. Most of the apps were supposedly designed to mimic popular games in Japan or play a video in relation to the game. However, users who installed the apps questioned their legitimacy.

Symantec has so far identified 29 apps belonging to seven developers with these characteristics and has confirmed they are malicious. The apps share common programming code so we can assume it is a sole individual or an organization who is committing the crime. The very first app we confirmed appeared on Google Play around February 10 and more followed until late March. Originally the apps posted were not game related, but were random ones including apps of an erotic nature, a contact management app, a recipe app, and a diet assistant app to name a few. But the number of downloads were low. Then in late March, a bunch of apps with names ending in “the Movie...