Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for June of 2012
Showing posts in English
Symantec Security Response | 29 Jun 2012 13:44:24 GMT

In a global sting operation carried out by the FBI, over 24 people have been arrested, including an individual named Michael Hogue, a.k.a. "xVisceral". According to an underground forum post, xVisceral is involved in the Blackshades project, at the very least as a project manager. It is likely, however, that this Remote Access Tool (RAT) is the work of more than one individual.

"MICHAEL HOGUE, a/k/a "xVisceral," offered malware for sale, including remote access tools ("RATS") that allowed the user to take over and remotely control the operations of an infected victim-computer.  HOGUE's RAT, for example, enabled the user to turn on the web camera on victims' computers and spy on them, and to record every keystroke of the victim-computer's user.  If the victim visited a banking website and entered his or her user name and password, the key logging program could record that information, which could then be...

Costin Ionescu | 27 Jun 2012 21:25:13 GMT

The evolution of Android malware has made incontestable progress in the last few years and it often follows in the footsteps of PC-based malware, except that it happens at an accelerated pace.

Often, malicious apps gain control of a system in several steps, using different modules. There is typically only one initial module which, once it gets executed, either drops some embedded modules or downloads other modules and installs them to achieve its full range of mischievous behavior.

On the Android platform, users have limited visibility when installing packages, especially when side-loading (i.e. manually installing packages or installing from non-official app markets). This is why most Android malware that includes other malware does this embedding in the simplest way: they simply include the payload either as a raw resource or as an asset in their own package.

This used to be the case for PC-based malware when simple Trojan horse programs (often called “...

Alan Neville | 27 Jun 2012 10:30:47 GMT

Symantec has become aware of a new Distributed Denial of Service (DDoS) crimeware bot known as "Zemra" and detected by Symantec as Backdoor.Zemra. Lately, this threat has been observed performing denial-of-service attacks against organizations with the purpose of extortion. Zemra first appeared on underground forums in May 2012 at a cost of €100.

Figure 1. Zemra offered for sale on an underground forum

This crimeware pack is similar to other crime packs, such as Zeus and...

Samir_Patil | 26 Jun 2012 23:04:58 GMT

Last week I was jolted with a mail that says:


My first reaction was: "Did I ever interview or converse with any such person? Then why am I receiving this email?". I immediately began analyzing the email and found that it is nothing but a variant of a Hitman spam which tries to threaten the user after initiating a conversation and then extorts money in the bargain.

The discussed spam mail is a reply to an email thread which was never received or replied to before. (Although the spam message says that the recipient was part of the email communication sent a few months back.) The email comes with an attachment containing the candidate’s resume. Suprisingly, the attachment has no...

Nick Johnston | 26 Jun 2012 21:29:45 GMT

The Blackhole exploit kit has been extensively covered by Symantec for some time. As a brief reminder, like other exploit kits such as Phoenix, people using Blackhole compromise a legitimate site, inserting malicious and highly obfuscated JavaScript code into the site's main page. To evade detection and avoid attracting suspicion, the rest of the page (and indeed site) is left untouched.

When an innocent user browses to a Blackhole-infected site, their browser runs the JavaScript code, which typically creates a hidden iframe, which silently exploits vulnerable browser plug-ins and drops any malware and exploits onto a users system. It typically targets vulnerable Java, Adobe Flash Player, Adobe Reader, Windows Help Center, and other applications. These attacks are often called drive-by downloads.


Irfan Asrar | 22 Jun 2012 21:27:23 GMT

A security researcher from Germany released an Android application on Google Play that can obtain contactless credit card data over the air for a limited set of cards. Contactless credit cards can typically be used without a pin for transactions under €10 by simply holding the card near a point of sale terminal.

The Android application, which Symantec detects as Android.Ecardgrabber, attempts to read this data by using a communication protocol called Near Field Communication (NFC)— a technology present on the latest smartphones. The app was posted on Google Play on June 13 and was downloaded 100-500 times before removal.



Symantec Security Response | 21 Jun 2012 15:22:20 GMT

Over the past two weeks, an outbreak of Trojan.Milicenso has resulted in multiple reports of massive print jobs being sent to print servers, printing garbage characters until the printer runs out of paper. Our telemetry data has shown the worst hit regions were the US and India followed by regions in Europe and South America. We originally encountered Trojan.Milicenso in 2010 and our initial investigation had shown that this was basically a malware delivery vehicle for hire. The payload that is most commonly associated with this latest version is Adware.Eorezo; an adware targeting French speaking users. 

Figure 1. Telemetry data...
Karthikeyan Kasiviswanathan | 20 Jun 2012 21:32:25 GMT

Thanks to Andrea Lelli for assistance with this research.

Following on from the exploitation of the Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875) detailed in our previous blog, Symantec has also observed continued exploitation of the Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability (CVE-2012-1889) in the wild. This vulnerability involves one of the functions of the MSXML object found in Internet Explorer. The issue allows access to uninitialized memory locations which can result in arbitrary code execution.

We have seen attempts to spread malware through the injection of malicious iframes on legitimate websites. These iframes load the exploit code into a...

Symantec Security Response | 19 Jun 2012 18:09:40 GMT

Malware called DNSChanger has been, and continues to be, in the news and for very good reason. A whole lot of people stand to lose their Internet connectivity if they don’t take action before July 9. One of our concerned customers posed Symantec Security Response a number of questions recently in regards to what this threat is, how it works, and what it ultimately means to them (and other users like them). The following are the questions put to us with our responses.

Norton User: What is this DNSChanger making news at the moment?

Symantec Security Response: It is malware that changes the Domain Name System (DNS) settings on the compromised computer, hence the name.

NU: What are these DNS settings and how do they affect me?

SSR: DNS is an Internet service that converts user-friendly domain names into the numerical...

Karthikeyan Kasiviswanathan | 19 Jun 2012 09:22:46 GMT
Thanks to Parveen Vashishtha for his assistance with this research.
The Microsoft patch Tuesday has been very interesting this month. Symantec has observed the exploitation of a couple of client-side vulnerabilities in the wild. This blog will concentrate on one of them, the Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875), which was actively exploited, even before MS Tuesday. 
We have observed this vulnerability being served through various sites using multiple injected iframes. These iframes are responsible for seamlessly delivering the exploit to the unsuspecting users. Figure 1 depicts some of the iframes that have been injected into legitimate websites.