Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for December of 2012
Showing posts in English
Symantec Security Response | 31 Dec 2012 21:38:44 GMT

In a recent blog, Symantec reported on a new Internet Explorer zero-day being actively exploited in the wild. Microsoft has since released Security Advisory 2794220 which confirms the Microsoft Internet Explorer 'CDwnBindInfo' Use-After-Free Remote Code Execution Vulnerability (CVE-2012-4792) is a zero-day vulnerability which affects Internet Explorer 8, Internet Explorer 7, and Internet Explorer 6.

The following Q&A briefly outlines what is known about the watering hole attack, the Internet Explorer zero-day, and the protection Symantec has in place.

What is a watering hole attack?

A watering hole attack is a method of targeting sites which are likely to be visited by targets of...

Symantec Security Response | 30 Dec 2012 00:27:55 GMT
We have received multiple reports of a new Internet Explorer zero-day vulnerability being exploited in the wild. Initial reports indicate that the website used in these attacks belong to a U.S. based think-tank organization. The site was believed to be compromised and used to serve up the zero day exploit as part of a watering hole style attacks as far back as December 21st.
A flash file named today.swf was used to trigger the vulnerability in Internet Explorer. The flash file is detected as Trojan.Swifi and protection has been in place for our customers since December 21st. Further details and analysis will be provided soon.
We have carried out in-depth research into watering hole style attacks dating back to 2009. That research and analysis is contained in a paper named...
Jeet Morparia | 25 Dec 2012 00:18:58 GMT

We have blogged in the past about Ransomware being a growing menace and that ONE SHOULD NOT PAY RANSOM if affected. Ransomware has now raised its ugly head up once again. Writers of Trojan.Ransomlock.G (a.k.a. Reveton) have updated their locking screen to induce panic and to blackmail the user into paying ransom.

Recently, blogger Kafeine found a ransomware sample which threatens to format and wipe all the documents on the compromised system if the user attempts to unlock the computer manually.


Mathew Maniyara | 20 Dec 2012 23:17:48 GMT

Contributor: Avdhoot Patil

Phishers are known for incorporating current events into their phishing sites and never leaving any stone unturned. They are now capitalizing on the civil war in Syria. In December 2012, a phishing site spoofing a popular social networking site claimed to have a torture video of a prisoner in the Syrian prison, State Security Branch Khatib. Phishers compromised a legitimate domain based in the United Arab Emirates to host the phishing site. The phishing pages were in Arabic.

The title of the phishing site translated to “Liberal torture in the State Security Branch Khatib”. The site warned that the video contained scenes of violence and asked users for their permission before proceeding. After permission had been granted, users were prompted to enter their login credentials. The login credentials were allegedly required to confirm that the user was over 18 years of age. After the login credentials had been entered, the...

Fred Gutierrez | 20 Dec 2012 21:33:27 GMT

Contributor: Alan Neville

Almost a year ago we added detection for a low prevalence Trojan found on servers belonging to financial institutions, including banking firms and credit unions. The Trojan also compromised home computer users and computers at security firms. For easier identification and tracking we recently renamed this threat to Trojan.Stabuniq.

Figure 1. Trojan.Stabuniq distribution by type

Approximately half of unique IP addresses found with Trojan.Stabuniq belong to home users. Another 11 percent belong to companies that deal with Internet security (due, perhaps, to these companies performing analysis of the...

Symantec Security Response | 20 Dec 2012 00:07:18 GMT

The recent discovery of an Android SMS spam botnet by Cloudmark, which is detected by Symantec as Android.Pikspam, has gained media attention. While delivering spam by botnets is nothing new, mobile technology has opened up new attack vectors to cybercriminals who are using the proven attack techniques of social engineering and spam with success on mobile devices.

The attack consists of SMS messages advertising free versions of popular games, or possibly to inform you that you have won a prize. Unsuspecting victims who receive the text messages and follow the link can download a Trojanized app from a third-...

Mathew Maniyara | 19 Dec 2012 18:35:45 GMT

Fake applications offered by phishing sites continue to appear. In December 2012, a fake app was seen that was titled, “Facebook 2013 demo”. Social networking users in India were most likely targeted in this phishing attack because the phishing URL consisted of certain words in Hindi. The phishing site was hosted on a free Web-hosting site.

The phishing site spoofed the login page of Facebook and the page contents were altered to promote the fake application. A message in the phishing page stated that users could use their existing Facebook accounts to access the application and that they did not need to create a new account. Of course, such a message was added to the phishing page because phishers wanted users to enter their primary login credentials. Towards the right hand side of the phishing page there were instructions on how to access the application. The poorly worded phishing page explained the instructions in three steps, along with a note. The first two...

Val S | 19 Dec 2012 11:02:47 GMT

Not so long ago, aspiring bot-herders, who wanted to get started with a botnet of their own, would have to hang out in the right circles or learn how to make one themselves. If they hung out in the right circles they would be provided with guidance and documentation to get started. If they were creative enough and had enough time and skill they could create their own from scratch.

But what if they didn’t have this skill set, or didn’t hang out in the right circles? Just like everything else, they could pay to have someone do it for them. The following examples of crimeware kits for sale have been found in various places on the Internet. Due to various reasons including, enabling the practice of crimeware and legal issues, we cannot confirm that the items being sold are legitimate.  Some have the characteristics of a scam due to inaccuracies in the description (old versions being touted as new) or pricing that does not reflect the going market rate.


Symantec Security Response | 16 Dec 2012 21:30:57 GMT

On December 16, 2012, CERTCC-IR posted an advisory regarding a new threat, Trojan.Batchwiper, that wipes disks. We have recovered samples matching the hashes mentioned in their advisory and, based on preliminary analysis, can confirm their findings.

The samples are not sophisticated and will wipe any drives starting with the drive letters D through I, along with files on the currently logged-in user’s Desktop. After deletion, the threat will then run Chkdsk on the drives. The wiping will only occur on the following dates:

  • 12/10/2012
  • 12/11/2012
  • 12/12/2012
  • 01/21/2013
  • 01/22/2013
  • 01/23/2013
  • 05/06/2013
  • 05/07/2013
  • 05/08/2013
  • 07/22/2013
  • 07/23/2013
  • 07/24/2013
  • 11/11/2013...
Mathew Maniyara | 14 Dec 2012 23:10:35 GMT

Contributor: Avdhoot Patil

Fake social media applications in phishing sites are not uncommon. Phishers continue to devise new fake apps for the purpose of harvesting confidential information. In December 2012, a phishing site (spoofing Facebook) claimed to have an application to secure Facebook accounts from being hacked. The phishing site was hosted on a free Web-hosting site.

The phishing site required users to enter their Facebook login credentials to gain access to the fake security app. In addition to their Facebook login credentials, users must enter a confirmation code generated by clicking a button. Phishers likely believe asking users to enter a confirmation code and stating that it is certified while displaying a fake Facebook stock certificate will make this fake app page seem more authentic. Still, it is hard to understand how a sample stock certificate has any relevance to security on Facebook.