Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for May of 2012
Showing posts in English
Symantec Security Response | 31 May 2012 23:29:02 GMT

W32.Flamer is possibly the only Windows based threat we have encountered which uses Bluetooth. It is yet another indicator that W32.Flamer is not only exceptional, but that it is a comprehensive information gathering and espionage tool. The CrySyS laboratory has previously documented the technical details of Bluetooth in W32.Flamer. But, what does this actually mean for potential victims targeted by Flamer? What can an attacker accomplish using Bluetooth?

The Bluetooth functionality in Flamer is encoded in a module called "BeetleJuice". This module is triggered according to configuration values set by the attacker. When triggered it performs two primary actions:

  1. The first is to scan for all Bluetooth devices in range. When a device is found, its status is queried and the details of the device recorded...
Mathew Maniyara | 31 May 2012 22:32:49 GMT

Co-Author: Avdhoot Patil

Lottery scams are not new to the world of phishing, so phishers are always seeking new fake lottery strategies. Phishers gained interest in schemes that involved donating to charity using lottery prizes. They utilized the idea in a phishing site which claimed that a popular bank was organizing a lottery for its customers and that a portion of the prize money would be donated to charity. Phishers believed that customers would be duped by the twin advantages: winning prizes and donating to charity. The phishing site was hosted on servers based in Iowa Park, USA.

A link to login was provided on the phishing site urging customers to enter their credentials. The link lead the customers to a phishing page that prompted the customer for their name, ticket number, and email address:
 

...

Joji Hamada | 31 May 2012 03:20:04 GMT

We have recently encountered a fortune teller app that isn’t just trying to forecast the future; it is also stealing user information—and not to predict good fortune for the user. Last week, the Information-Technology Promotion Agency, Japan (IPA) issued a security warning about the discovery of yet another Japanese Android app that extracts personally identifiable information (PII). In April, at least 29 malicious apps (we have reasons to believe that the total number of apps could possibly be twice this) were discovered on Google Play. The malicious apps exported not only PII about the mobile device owner, but also the details of people listed in the phone’s contacts. You can read more about this information stealing in this Symantec blog.

Symantec has confirmed that the fortune teller app also performed the same information stealing as...

Symantec Security Response | 30 May 2012 21:45:27 GMT

The number of different components in W32.Flamer is difficult to grasp. The threat is a well designed platform including, among other things, a Web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into 'apps' and the attackers even appear to have something equivalent to an 'app store' from where they can retrieve new apps containing malicious functionality.

To get an idea of how all these components fit together, the best place to start is a file called mssecmgr.ocx. This is W32.Flamer's main file and it is the first element of the threat executed by an infected computer. The file mssecmgr.ocx contains a large number of sub-components. A breakdown of the various components and how...

Symantec Security Response | 28 May 2012 13:32:58 GMT

Over the past few days, we have been analyzing a potential new threat that has been operating discreetly for at least two years. We were contacted about this threat by Crysys who have released their own analysis. (The threat is referred to by CrySys as 'Skywiper'). There are indications that W32.Flamer is also the same threat as described recently by the Iranian national cert. Our analysis of the retrieved samples reveals complex code that utilizes several components. At first glance, the executable appears to be benign but further inspection reveals cleverly concealed malicious functionality.

The complexity of the code within this threat is at par with that seen in Stuxnet and...

Andrea Lelli | 24 May 2012 21:55:40 GMT

A number of days ago, we observed a new variant of the W32.Xpaj.B virus and we blogged all of the initial details about its new features and how the outbreak sample is the patient zero of the infection. We have now done more analysis and the conclusion is in: there is no outbreak and W32.Xpaj.B is not coming back, at least for now.

From the analysis we uncovered the following:

  • Samples infected by patient zero do not have the capability to infect other samples
  • A 64-bit kernel mode payload injects a Dynamic-Link Library (DLL) into the target processes, but the DLL is empty
  • Infected samples do not carry a copy of the virus body from patient zero, but they are infected with a substantially smaller version of the virus...
Symantec Security Response | 24 May 2012 12:12:33 GMT

Analysis by: Hiroshi Shinotsuka

Recent malware campaigns that used Tibet-related issues as bait have been well documented and it should come as no surprise that we have seen another Tibetan-themed attack using a malicious Word document. The emails involved in the attack are in English and were sent to a clothing company in the United States.

While they appear to come from Tibet-related organizations, the email headers revealed that they were sent from a mail server in Russia.

Recently, we discovered a file that differs to other malware in that it uses a well-known graphics card manufacturer’s legitimately signed program as an attack vector.

After opening the attached document file, a vulnerability—CVE-2012-0158...

Val S | 23 May 2012 23:08:34 GMT

Contributor: Branko Spasojevic

A recent post on Pastebin revealed that a simple command can provide root access to the ZTE Score mobile device. This escalation of privilege can give you full control of a ZTE Score M phone running Android 2.3.4 (Gingerbread). We analyzed both the MetroPCS and Cricket Wireless versions of the device and we were able to reproduce the privilege escalation.

The Android security model sandboxes applications so they cannot interact with other applications nor directly perform system level commands without specific authorization preventing undesired affects. The privilege escalation allows one to bypass the default Android security model and run any code on the device and make any modifications unchecked.

The privilege escalation was not a bug in code on the device, but instead likely a design feature for carrier administration purposes or troubleshooting. Unfortunately, irrespective of the reason this code was included, by...

Paresh Joshi | 21 May 2012 11:52:55 GMT

For anti-spam software, it is quite easy to prevent spam by using content-based filters. So spammers come up with different obfuscation techniques to bypass URL-based filters such as inserting “shy characters”, as we have discussed previously. Recently, spammers have been trying to cash-in on the smallest of gaps that they could find in conventional anti-spam technologies. Spammers are now attempting to obfuscate the URLs in spam messages, either by inserting white space characters of varying sizes or by replacing the conventional “.” (dot) character by “。” (An ideographic full-stop, mostly used in Asian languages)

How did they do it? Let’s take a look at both of these techniques.

Using different size white space characters is allowed in HTML. All languages use spaces to separate words. However, the size of the white space characters...

Takashi Katsuki | 18 May 2012 21:24:20 GMT

W32.Wergimog is a worm that attempts to spread through removable drives and opens a back door. When I looked into its variants, I found an interesting sample, which I named W32.Wergimog.B. Both samples are based on the same source code, but the .B variant contains even more interesting functionality that I would like to detail here.
 

For legitimate applications

W32.Wergimog.B injects itself into legitimate applications, such as Internet Explorer and Mozilla Firefox, as shown in Figure 1.
 

Figure 1. Threat injects itself into certain applications and...