Video Screencast Help
Security Response
Showing posts for August of 2012
Showing posts in English
Symantec Security Response | 30 Aug 2012 13:00:03 GMT

In October 2011, we documented a particular targeted attack campaign – The Nitro Attacks. In that instance, the attackers were primarily targeting chemical companies. Despite our work in uncovering and publishing the details behind the attacks, the attackers continued undeterred, even using our own report in their social engineering campaign!

The attackers have escalated their efforts however. As discussed in our previous blog, a new  Java zero-day vulnerability has been seen being exploited in the wild. We can confirm that some of the attackers behind this round of attacks are actually the Nitro gang.

The traditional...

Anand Muralidharan | 29 Aug 2012 16:10:25 GMT

Since mid-August, Symantec have been observing spam samples containing links with file extensions in the URLs. If these links are clicked they do not open any files, instead they redirect the user to an online pharmacy website.  The following file extensions are used in the URLs:

  • .asp
  • .doc
  • .htm
  • .html
  • .mp3
  • .mpeg
  • .pdf
  • .php
  • .txt

The following URLs were seen in spam samples examined by Symantec:            

  • http:// [REMOVED].be/HOOK2_txt
  • http:// [REMOVED]
  • http:// [REMOVED].com/677115_php
  • http:// [REMOVED].com/686112_asp
  • http:// [REMOVED].ru/706060_mp3
  • http:// [REMOVED].ru/HOOK2_htm
  • http:// [REMOVED].ru/vern_html
  • http://[REMOVED].org/521862_pdf
  • http:// [REMOVED].com/139097_mpeg

Spam email examples:


Symantec Security Response | 29 Aug 2012 12:02:20 GMT

A new development observed in the sophisticated financial banking Trojan.Shylock highlights the ongoing evolution of this threat. Shylock, a threat first observed by Trusteer in September 2011, was named after a character in the Shakespeare play the ‘Merchant of Venice’ due to quotes from the play being found in the original binary code. Symantec has now observed a new generation of this threat in the wild. This new generation of Shylock is using a social engineering trick for propagation along with a polymorphic packer that changes every time the threat is downloaded in an effort to evade detection. These updates to Shylock are reported to be causing numerous problems relating to hidden files for Internet forum users.

The reported attacks all...

Symantec Security Response | 28 Aug 2012 11:25:11 GMT

Yesterday, FireEye documented a Java zero-day vulnerability (CVE-2012-4681) in the wild that is thought to have been used initially in targeted attacks. Symantec is aware that attackers have been using this zero-day vulnerability for at least five days, since August 22. We have located two compromised websites serving up the malware:

  • ok.[REMOVED].net/meeting/applet.jar
  • 62.152.104.[REMOVED]/public/meeting/applet.jar

One sample of malware downloaded by the exploit has been identified as 4a55bf1448262bf71707eef7fc168f7d (Trojan.Dropper). It has been observed with the following file names:

  • hi.exe
  • Flash_update.exe


Branko Spasojevic | 24 Aug 2012 16:03:05 GMT

Thanks to Peter Coogan for his assistance with this research.

Earlier this week Mandiant released a blog which talked about a new advanced persistent threat (APT) they found  while investigating a potential compromise. Symantec detects the APT in question as Backdoor.Hikit, a Trojan that enables an attacker to gain control of compromised servers from a remote location.

Samples related to Backdoor.Hikit were first observed by Symantec in October 2011 when detection was added for a component of the threat as Trojan.Ascesso. Our investigation of this threat has since identified further samples of Backdoor.Hikit in the wild. Based on the timestamp information from the PE headers of Backdoor.Hikit samples, we can...

Masaki Suenaga | 24 Aug 2012 09:13:01 GMT

Microsoft Visual Basic 6.0 was developed in 1998 and more than a decade later, many malware created in Visual Basic are still running rampant. One of those is W32.Changeup, a polymorphic worm that comprises 25 percent of all malware written in Visual Basic.

In order to develop a better understanding of Changeup, I set out to analyze it in great depth. To do so, I had to manually decompile it as it could not be decompiled using decompiler tools. It’s also worth noting that Visual Basic programs require special knowledge to analyze, due to their flexible source code syntax. In particular, spotting variants and arrays is the key to precise analysis.

Once I completed analysis of the worm, I wrote a white paper that details my findings. In it, I describe how the worm calls Windows APIs, which...

Joji Hamada | 23 Aug 2012 23:18:38 GMT

When it comes to targeting the sexes, generally malware has targeted men by enticing them to view videos or pictures of sexual content—Android malware is no different. For instance, Android.Oneclickfraud attempts to coerce a user into paying for a pornographic service and certain Android.Opfake variants are designed to allow users to view adult videos, but secretly send SMS texts to premium-rate numbers in the background. Recently, however, Symantec discovered Android.Loozfon, a rare example of malware that targets female Android users.

A group of scammers is attempting to lure female Android users in Japan into downloading an app by sending emails stating how the recipient can easily make...

Bhaskar Krishna | 21 Aug 2012 21:12:17 GMT

As we are all aware, Adobe released security updates for Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh, and Linux. These security updates address the Adobe Flash Player CVE-2012-1535 Remote Code Execution Vulnerability that could cause the application to crash and potentially allow an attacker to take control of the compromised computer. Adobe has also stated that there are reports of the vulnerability being exploited in the wild in limited targeted attacks distributed through malicious Word documents.

We have observed these threats since August 10, 2012, and to-date we have successfully blocked more than 1,300 samples. The first sample...

Takashi Katsuki | 20 Aug 2012 21:37:24 GMT

Symantec reported new malware for Mac last month that we called OSX.Crisis. Kaspersky then reported that it arrives on the compromised computer through a JAR file by using social engineering techniques.

The JAR file contains two executable files for both Mac and Windows. It checks the compromised computer’s OS and drops the suitable executable file. Both these executable files open a back door on the compromised computer. However, we found two special functions in the Windows version of the threat that Symantec detects as W32.Crisis.

The threat uses three methods to spread itself: one is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device.


Lionel Payet | 20 Aug 2012 14:47:05 GMT

Thanks to Santiago Cortes for his assistance with this research.

Some samples exploiting the Adobe Flash Player CVE-2012-1535 Remote Code Execution Vulnerability through malicious Word documents have been captured. These samples were observed on Adobe Flash Player 11 Active X, version

The attackers spread the malicious Word documents through email and entice their victims with file names referencing Apple's iPhone.

The .doc files attached to the email contain hidden malicious .swf files. The .swf files then drop more files onto the compromised computer, which are then opened, for example:

  • %Temp%\~WRD0001.doc           
  • %Temp%\Word8.0\ShockwaveFlashObjects.exd
  • %Temp%\Word8.0\ShockwaveFlashObjects.exd  ...