Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for July of 2012
Showing posts in English
Alan Neville | 31 Jul 2012 17:54:23 GMT

Co-Author: Peter Coogan

Earlier in 2012, a patch was issued to correct a potential vulnerability in Parallels Plesk Panel version 10.3 or earlier, helping secure unauthorized access to the website control panel. While it is believed that this potential vulnerability is now patched, administrators who have applied this fix may have already been the victim of a compromise and had their login credentials stolen. Best security practice would be for administrators using Parallels Plesk Panel 10.3 or earlier to ensure they have up-to-date patches and change any login credentials that may have been exposed as a result of this vulnerability. They can learn more by reading Securing Parallels Plesk Panel: Best Practices to Prevent Threats.

Reports stated that, following a compromise, heavily obfuscated JavaScript is injected into HTML pages on the server. Once...

Joji Hamada | 31 Jul 2012 17:49:40 GMT

Symantec has continuously observed targeted attacks in the wild since around mid-July that utilize password-protection of malicious Excel spreadsheet files. Coincidentally, all of the samples that we have analyzed so far use the 4-digit password “8861”, which is provided within the body of the email containing the Excel file attachment.  So why “8861”, you may ask? I couldn’t figure out if it has any meaning, but if someone out there is aware of the significance of this number, please send us a note. The name of the file, the content of the spreadsheet, and the malware that is dropped onto the computer all vary from sample to sample.

This is not the first time that passwords have been used for targeted attacks. In fact, back in December 2011, I blogged about document files using the same...

Masaki Suenaga | 27 Jul 2012 20:05:34 GMT

A BlackHole Exploit Toolkit sample that exploits the Oracle Java SE CVE-2012-1723 Remote Code Execution Vulnerability was released in the beginning of July 2012.

The vulnerability exists due to “type confusion” between a static variable and an instance variable. A static variable is common in a class, whereas an instance variable is only valid in an instantiated class. In the sample, the class defines many variables:

class C2


  static ClassLoader static_field;

  C3 f0;

  C3 f1;

  C3 f2;

  … continues to f99

  C3 f99;

Symantec Security Response | 27 Jul 2012 16:13:57 GMT

In today's threat landscape the lines between legitimate cyber-investigation tools and spying tools are becoming ever more blurred. In recent days, the discovery of two different threats has highlighted this point. Intego, in a blog, has discussed the Mac OS Trojan called "Crisis", which is part of an advanced covert surveillance tool that is for sale online and is marketed towards governmental cyber investigation needs. This threat is detected by Symantec as OSX.Crisis and examined in a previous blog. Meanwhile, has blogged about FinFisher, another...

Joji Hamada | 27 Jul 2012 11:19:26 GMT

Earlier in the week, I blogged about Android.Ackposts that is a malware used to harvest email accounts on compromised devices and in the blog I mentioned that malware targeting contact data on smartphones is becoming a popular trend. Discovery of Android.Maistealer again confirms our view, and users really need to be careful when apps ask for permission to read contact data.

The installation of Android.Maistealer requests the following permissions:

The key permission here is “Your personal information—read contact data.” This permission allows contact details stored in the phone’s contacts to be read, but this app has absolutely no legitimate reason to request this. “Storage...

Symantec Security Response | 27 Jul 2012 02:44:51 GMT

A new Macintosh malware is making the rounds.

For the first half of 2012, we have seen an increase in the number of Mac-based threats: variant OSX.Flashback.K appeared, newly discovered OSX.Sabpab, and OSX.Macontrol with a new variant.

As we begin the second half of 2012, we would like to introduce you to a new instance of Mac malware: OSX.Crisis.

OSX.Crisis is a Trojan that installs a back door on compromised OSX systems. At the time of writing, we are not seeing this threat in the wild. We believe that the infection vector may rely primarily on social engineering to be installed and at this...

Mathew Maniyara | 25 Jul 2012 21:25:45 GMT

Co-author: Avdhoot Patil

Phishing sites using celebrities as bait are on a rampage. In July 2012, Honey Singh, also known as Yo Yo Honey Singh, a popular Indian rapper, singer, music producer, and actor was featured on phishing sites. Symantec observed several phishing sites that spoofed a social networking brand that claimed to have an application for Honey Singh. The phishing sites were hosted by a free web hosting service.

The phishing sites promoted Honey Singh’s 2011 album, International Villager. A poster of the album's artwork was displayed on the left side of the phishing page and the login form was displayed on the right side. The phishing sites claimed to have an application that enabled users to listen to the Punjabi star's latest songs and videos. As with most applications on social networking sites, the application made a request to the user before allowing access. After a user's login credentials were entered into the phishing...

Joji Hamada | 24 Jul 2012 18:13:09 GMT

As it has been a little over a month since I blogged about the arrest of the Android.Oneclickfraud gang and how the sister apps were still alive. I wanted to take some time to give you an update on the recent activities involving the two sister apps. Unfortunately, the two sites hosting the apps are still healthy and active. The gangs maintaining the sites reacted quickly to the publication of the blog last month by fixing the security issues on the websites, although some holes still remain. Interestingly, one site is more secure than the other, which leads me to believe that separate administrators are maintaining the sites. In fact, the sites may well be operated by two different groups.

The groups also appear to have been scrambling to update their sites in various ways, possibly to avoid prosecution, as there have been a number of notable activities taking...

Joji Hamada | 23 Jul 2012 22:19:40 GMT

An issue that many smartphone users have with their phones is that their device battery just does not last long enough; it needs to be recharged. While the battery may last a whole day for some, power users who use their phone more often have to come up with various tricks to get their battery to last a full day. There are many ways to reduce battery use and, of course, there are many apps to help maximize battery performance. These do help—but for many it does not solve the issue.

So what if, one day, you find out about a special app that can reduce battery use by half? Exactly. This is the strategy being used to deceive innocent Android users into installing an app that is supposed to reduce battery use, but in reality does nothing but steal the user's contacts data stored on the device.

Recently, Japanese spam email has been circulating attempting to lure users into clicking on a link which downloads and installs a malicious app. The app can exfiltrate...

Pavlo Prodanchuk | 23 Jul 2012 16:03:01 GMT

Recently, Symantec has observed an increase in .eu domains contained within pharmacy and dating spam messages. The spam emails observed so far are predominantly in the German language. The specific patterns and characteristics demonstrate that the attacks employ a "hit-and-run" technique.

In "hit-and-run" attacks, spammers quickly rotate through the IP addresses and domains that are being used. Unlike 80% of spam attacks, these messages are not sent from botnets of compromised computers, but from mail server IP addresses with a previously unknown reputation.

Recent data obtained from the Symantec Global Intelligence network shows that the number of spam emails that contain .eu domains increased slightly in the first and third week of June. Furthermore, the number of spam emails containing .eu domains written in the German language increased considerably in the last week of June.