Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for September of 2012
Showing posts in English
Mathew Maniyara | 28 Sep 2012 14:48:20 GMT

Contributor: Avdhoot Patil

Phishers have recently gained a lot of interest in football. After the scam on the 2014 FIFA World Cup, they have set their eyes on footballer Lionel Messi. In September 2012, Symantec observed the use of various social-networking themes in phishing. A number of these themes featured Lionel Messi. The phishing sites were hosted on free web-hosting sites.

In the first example, the background image of the phishing site was of Lionel Messi and the theme promoted football club Barcelona FC. On the other hand, the legitimate social-networking site in question does not provide users with any theme. End users were prompted to login in order to gain access to Messi’s social networking page. Of course, this is only a ploy and there is no gain for users from a phishing site. After the login credentials are entered, the phishing site redirected to the...

Joji Hamada | 28 Sep 2012 07:21:33 GMT

On September 27, Adobe posted a blog stating that the company is investigating the inappropriate use of an Adobe code signing certificate for the Windows operating system.  Symantec is aware of this issue and has added protection to detect any unauthorized file signed by the Adobe certificate in question as Trojan.Abe. We are currently aware of two utilities totaling three files that appear to come from one particular source signed by this certificate. One is a password dump tool that is available publicly and another is an ISAPI filter that redirects internet traffic on a Web server that, to our knowledge, is not publicly available. Details of the files are listed below:


MD5 hash: 130F7543D2360C40F8703D3898AFAC22


Joji Hamada | 25 Sep 2012 17:03:35 GMT

The authors of Android.Enesoluty have added another app to their repertoire. The new app is called “Safe Virus Scan” in Japanese, and as the name suggests, it is supposed to function as an antivirus app. However, as you might have guessed, it does not contain any antivirus functionality and the only action it performs is to steal personal data.

Previous variants displayed messages stating that the app was incompatible with the device. However, unlike its predecessors, this app appears as though it actually functions as advertised.

Figure 1. Fake scan run by malicious app

By the time the scan is complete, the app has...

Andrea Lelli | 20 Sep 2012 14:29:21 GMT

The popular Blackhole Exploit Kit has gained a lot of media attention recently when its author announced the imminent release of version 2.0, boasting a list of new interesting features. Recently we were very surprised when we found a website hosting what is supposed to be version 2.0 of the Blackhole Exploit Kit. Naturally, we started investigating and soon discovered that something about the website was not right.

Figure 1. The (suspicious) statistics page of the exploit kit

Looking at Figure 1, you can see a label at the bottom of the page clearly saying Blackhole v.2.0, but apart from this difference, the rest of the page looks very similar to the old version:

Figure 2. The statistics page of the old version of the...

Satnam Narang | 19 Sep 2012 22:21:45 GMT

Contributor: Jeet Morparia

A few weeks ago, we wrote about the Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2012-4681) being used in a targeted attack campaign by the Nitro attackers. Recently, we have discovered another group exploiting this vulnerability in the wild: the Taidoor attackers.

The Taidoor attackers began utilizing the vulnerability when the proof of concept (POC) began to circulate. On August 28, we discovered the malicious file Ok.jar (Trojan.Maljava!gen24) exploiting the CVE-2012-4681 vulnerability. If successfully exploited, an executable payload, Javaupdate.exe, will be dropped...

Flora Liu | 18 Sep 2012 21:50:05 GMT

Designed in 2007 and introduced in late 2009, the Go programming language developed by Google has been gaining momentum the past three years. It is now being used to develop malware. Recently seen in the wild, Trojan.Encriyoko is a new threat associated with components which are written in Go. The Trojan attempts to encrypt various file formats on compromised computers, rendering the encrypted files unusable.

The original sample we acquired, a file named GalaxyNxRoot.exe, is actually a dropper written in .NET which disguises itself as a rooting tool to trick users into installing it.

Figure 1....

Branko Spasojevic | 17 Sep 2012 19:27:12 GMT

Contributor: Lionel Payet

Eric Romang has released a blog about the Microsoft Internet Explorer Image Arrays Remote Code Execution Vulnerability, a possible zero-day vulnerability in Internet Explorer that is being exploited in the wild. Microsoft has confirmed this vulnerability affects Internet Explorer 9, Internet Explorer 8, Internet Explorer 7, and Internet Explorer 6 browsers.

The exploit is made up of four main components:

  1. The Exploit.html file is the starting point responsible for setting up the exploit. After setting up necessary conditions for the vulnerability it will invoke the Moh2010.swf file.
    • Symantec detects this stage as...
Joji Hamada | 17 Sep 2012 15:24:10 GMT

Android.Sumzand, currently one of the most active malware programs in Japan, has recently transformed itself into the “Sun Charger” app. Advertised through spam, this series of variants pretending to be apps that allow mobile devices to be charged by holding the display towards the sun has been quite successful in stealing contact details from a large number of users. As the scammers collect large volumes of data stored on the device, they send more spam advertising the fake apps to the email addresses that they have acquired. The number of recipients of the spam is increasing exponentially as each day passes by.

Because this particular spam campaign has become so huge, it is a heavily discussed topic on Internet forums and social-networking sites. Some users question if anyone would even fall for the trick, whilst others who have never received spam in the past are...

Symantec Security Response | 17 Sep 2012 13:03:57 GMT

W32.Flamer is a sophisticated cyber espionage tool which targeted the Middle East. News of its existence hit the headlines earlier in 2012. Symantec, has performed a detailed forensic analysis of two of the command-and-control (C&C) servers used in the W32.Flamer attacks earlier this year.

The servers were set up on March 25, 2012, and May 18, 2012, respectively.  On both occasions, within only a few hours of the server being setup, the first interaction with a computer compromised with Flamer was recorded. The servers would go on to control at least a few hundred compromised computers over the next few weeks of their existence.

The analyzed servers contain the same control framework, but they were used for distinct purposes. The server that was set...

Mathew Maniyara | 13 Sep 2012 20:09:55 GMT

Co-Author: Ashish Diwakar

The next FIFA World Cup is scheduled to take place in June 2014 in Brazil and phishers have already taken the opportunity to promote the event. World Cups are a favorite of phishers, as observed in the phishing sites focused on the 2010 FIFA World Cup and the 2011 Cricket World Cup. In September 2012, phishing sites spoofed a popular Brazilian credit and debit card company using the 2014 FIFA World Cup as bait.


The phishing sites were in Brazilian Portuguese. A number of the phishing sites featured Brazilian footballer Neymar da...