Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for October of 2012
Showing posts in English
Kazumasa Itabashi | 01 Nov 2012 07:44:18 GMT

W32.IRCBot.NG and W32.Phopifas

In a previous blog, my colleague Kevin Savage detailed a social engineering attack that utilized instant messaging applications. While the infection rates of W32.IRCBot.NG and W32.Phopifas have passed their peaks, the modules continue to be updated daily.

The infection routine of these threats has not changed since they were discovered, but the threat authors have added new file-hosting sites to use in order for the threats to be downloaded. W32.IRCBot.NG attempts to steal passwords that are used to log into the file-hosting sites from compromised computers. In addition, some modules are located on the servers of virtual server services and...

Samir_Patil | 31 Oct 2012 14:30:39 GMT

Hurricane Sandy, one of the most devastating Superstorms in decades, hit the US East coast. Causing the loss of lives and businesses and leaving countless people without electricity, Sandy has now added spam to its list of misery. We are observing spam messages related to the hurricane flowing into Symantec Probe Networks. The top word combinations in message headlines are "hurricane – sandy", "coast – sandy", "sandy – storm", and "sandy – superstorm."

Figure 1. Message volume over a two-day period

Typical spam attacks like "Gift card offer" and "Money making & Financial" spam are currently targeting the disaster. Below are the screenshots of some spam samples.


Dinesh Theerthagiri | 30 Oct 2012 19:24:00 GMT

Zero-day (zero-hour or day zero) vulnerabilities are previously unknown vulnerabilities that have not been revealed publicly but are exploited by attackers. Discovering and exploiting zero-day vulnerabilities helps cyber criminals to increase the success rate of attacks. Attacks using zero-day exploits are tough to identify and analyze because in many cases information is not available until attacks have already occurred. There is practically no protection against zero-day attacks as details of the vulnerability is usually a mystery when these attacks are first observed.

In a typical scenario, when a new vulnerability is found, the company who created the hardware or software is notified, and works to produce a fix in a sensible time. A security vulnerability is a programming error that escapes the testing phase. Attackers can sometimes identify the bug, exploit it, and wrap up the exploit with a malicious payload to carry out zero-day attacks against targets of...

Samir_Patil | 30 Oct 2012 11:16:13 GMT

In a couple of days we will be celebrating Halloween. Some of us will be booking family trips, others will be preparing for themed parties with interesting costumes and fun games. To make it easy for their customers, various online companies offer goodies along with Halloween necessities. You might even receive emails from them regarding discounts and freebies. However, in a frenzy to get ready for this long awaited event, do not get carried away if suddenly you see an out of this world offer like the ones listed below.

While some organizations will offer reasonable discounts, others offer the sun and the moon in lieu of your purse or your personal details. Spammers have laid snares for unsuspecting Internet users ready to fall for these offers.

For example, you might decide to shop around for a new car this Halloween or you might want to do some last minute online purchases for your child. Spammers, keeping these needs in mind have already prepared an array of...

Hiroshi Shinotsuka | 26 Oct 2012 11:26:15 GMT

According to the Symantec Internet Security Threat Report (ISTR), 400 million new variants of malware were created in 2011, which is an average of 33 million new variants of malware a month, or an average of one million new variants a day.

It is impossible to manually analyze such a large number of sample files, so it is therefore necessary to use an automated threat analysis system to analyze sample behavior and prioritize the files that virus definitions should be created for.

By searching the Web, you can find services that execute files in a sandbox and show the behavior of those files, thus enabling you to see what a suspicious file does before you execute it on your computer.

Both systems execute the requested files in a sandbox and log system behavior.

If malware can hide itself from automated threat analysis systems, it can blend in with millions of sample files and antivirus applications may...

Takashi Katsuki | 23 Oct 2012 06:18:26 GMT

Last week we reported on a particular piece of malware—detected as Backdoor.Rabasheeta—that is making a stir in the Japanese media.  There are hundreds, if not thousands, of back door malware, but in the last week Japanese media and social networks have been full of discussions about this particular malware. Symantec has discovered the dropper.


Figure 1. Dropper and its contents

A dropper is a Trojan horse that installs a payload onto the compromised computer. The dropper for Backdoor.Rabasheeta drops a main module and a configuration file. The dropper creates a registry entry so...

Eric Park | 19 Oct 2012 17:01:26 GMT

Symantec is observing an increase in spam messages containing .gov URLs. A screenshot of a sample message is below:


Traditionally, .gov URLs have been restricted to government entities. This brings up the question of how spammers are using .gov URLs in spam messages.

The answer is on this webpage: is the result of a collaboration between and, the popular URL shortening service. Now, whenever anyone uses bitly to shorten a URL that ends in .gov or .mil, they will receive a short, trustworthy URL in return.

While this feature has legitimate uses for government agencies and employees, it has also opened a door for...

Peter Coogan | 15 Oct 2012 20:58:12 GMT

Last year Symantec reported on the use of the Windows Help File (.hlp) extension as an attack vector in targeted attacks. Symantec telemetry is now increasingly seeing this attack vector being used in targeted attacks against industry and government sectors. The nefarious WinHelp files being used in these targeted attacks are detected by Symantec as Bloodhound.HLP.1 and Bloodhound.HLP.2.

Figure 1. Zip file attachment with malicious ....

Symantec Security Response | 15 Oct 2012 15:37:48 GMT

In our joint analysis of a W32.Flamer command-and-control (C&C) server, as documented here, we described several C&C server protocols present in code on the server.  One of those protocols we knew was associated with W32.Flamer. The other remaining protocol had not previously been observed in the wild and no samples were retrieved which used those protocols.

Figure 1. Protocols present on W32.Flamer C&C server

The samples appear to have remained unobserved for so long due to their highly targeted nature, however one more of those protocols has been identified and found to be in use. That protocol is for a module that can operate...

Joji Hamada | 11 Oct 2012 05:28:10 GMT

News broke over the weekend in Japan that police had arrested three people over the past few months in relation to death threats being posted on bulletin boards and sent through email. However, it was also reported that the suspects were subsequently released without charge due to the discovery of a particular malware infection on all of the suspect’s computers that is believed to have been used to make the threats. Examples of some of the threats include a posting to a government website stating that the person posting the threat will commit mass murder in a popular shopping area; a posting to an Internet forum saying that he/she will blow up a famous shrine; an email sent to an airline company threatening to use a bomb to destroy an aircraft; and an email threatening the kindergarten where a child of the royal family attends. Police are currently investigating the connection between the threats and the malware.

From our analysis, we have confirmed that the malware is...