Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for February of 2013
Showing posts in English
Val S | 27 Feb 2013 17:07:42 GMT

Adobe Flash is one of the most widely distributed products on the Internet. Because of its popularity and global install base, it is often a target of cybercriminals. Cybercriminals are using social engineering methods to distribute their malware through fake Flash update sites, often compelling unsuspecting users, who may be in need of a software update, to unknowingly install malware.

Recently, we came across the following site masquerading itself as an Adobe Flash Player update page:


Figure 1. Fake Adobe Flash update page

The attacker has created what appears to be a rather convincing landing page; however, there are a few inconsistencies. Most of the links resolve back to the attacking domain and all of the links within the page—besides the link to the malware itself...

Evan liu | 27 Feb 2013 05:20:56 GMT

Major events and holidays have always been a time for celebrations. Unfortunately, it also attracts unscrupulous spammers searching to make a quick offer. Symantec observes that spam email usually spikes in conjunction with these holidays.

One such occasion is Defender of the Fatherland Day observed on February 23, which is a Russian holiday in countries of the former Soviet Union, such as Belarus and Tajikistan. Aside from parades and processions in honor of veterans, it is also customary for women to give small presents to men in their lives, such as fathers, husbands, and co-workers. Consequently, the holiday is often referred to as Men's Day.

As such, most spam emails revolve around souvenirs, small gifts, and even men’s medicine such as Viagra. Below is an example of some of these emails:

Subject: Волшебные подарки на 23 февраля
Translation: Magical gifts for February 23


Symantec Security Response | 26 Feb 2013 17:40:00 GMT

In July 2010, Stuxnet, one of the most sophisticated pieces of malware ever written, was discovered in the wild. This complex malware took many months to analyze and the eventual payload significantly raised the bar in terms of cyber threat capability. Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure. The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now.

Symantec Security Response has recently analyzed a sample of Stuxnet that predates version 1.001. Analysis of this code reveals the latest discovery to be version 0.5 and that it was in operation between 2007 and 2009 with indications that it, or even earlier variants of it, were in operation as early as 2005.

Key discoveries found while analyzing Stuxnet 0.5:

  • Oldest variant of Stuxnet ever found...
Symantec Security Response | 26 Feb 2013 17:40:00 GMT

When Symantec first disclosed details about how Stuxnet affected the programmable logic controllers (PLCs) used for uranium enrichment in Natanz, Iran, we documented two attack strategies. We also noted that the one targeting 417 PLC devices was disabled. We have now obtained an earlier version of Stuxnet that contains the fully operational 417 PLC device attack code.

After painstaking analysis, we can now confirm that the 417 PLC device attack code modifies the state of the valves used to feed UF6 (uranium hexafluoride gas) into the uranium enrichment centrifuges. The attack essentially closes the valves causing disruption to the flow and possibly destruction of the centrifuges and related systems. In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values...

Symantec Security Response | 26 Feb 2013 17:40:00 GMT


Stuxnet stores a version number within its code. Analysis of this code reveals the latest discovery to be version 0.5. Based on website domain registration details, Stuxnet 0.5 may have been in operation as early as 2005. The exact date this version began circulating in the wild is unclear. What is known is that the date this early variant stopped compromising computers was July 4, 2009—just 12 days after version 1 was created.

Table 1. Known Stuxnet variants, based on main module PE timestamps

This blog focuses on the Stuxnet timeline, how Stuxnet 0.5 fits into the attack timeline, and its evolution to Stuxnet version 1.


Stuxnet 0.5 is...

Symantec Security Response | 26 Feb 2013 17:40:00 GMT

Similar to Stuxnet 1.x versions, Stuxnet 0.5 has limited command-and-control (C&C) ability. In particular, Stuxnet 0.5 does not provide fine-grained control to its authors. Instead, Stuxnet 0.5 can only download new code and update itself. Stuxnet needs to spread on isolated networks and therefore has been designed to be autonomous, reducing the need to have robust and fine-grained C&C ability. Stuxnet 0.5 also uses a secondary peer-to-peer mechanism in order to propagate code updates to peers on networks inaccessible to the broader Internet.

Stuxnet 0.5 has four C&C servers, all of which are now either unavailable or have since been registered by an unrelated party.

Interestingly, Stuxnet 0.5 is programmed to stop contacting the C&C server after January 11, 2009, even though the threat is programmed to stop spreading several months later after July 4, 2009.

The C&C server domains were created in 2005 and all displayed the same front page...

Joji Hamada | 26 Feb 2013 06:07:59 GMT

Contributor: Masaki Suenaga

We have already seen a handful of zero-day vulnerabilities being exploited in the wild this year. These vulnerabilities have affected users globally leaving both individuals and organizations scrambling to protect their computers. While this does become tiring, this is not the time to rest or become complacent, especially for those using the Japanese word processor software, Ichitaro.

JustSystems has just announced a vulnerability that is currently being exploited in the wild. Symantec has seen the exploitation in the wild since mid-January, but it has been limited to users in Japan. The attacks using the exploit typically involve archive files containing the following files:

  • A clean Ichitaro document (.jtd file)
  • A modified JSMISC32.DLL file with a hidden attribute
  • A malicious DLL file with a hidden attribute and a...
Anand Muralidharan | 25 Feb 2013 20:01:22 GMT

February is a short month, but not too short for spam events to make an impact. Valentine's Day and its associated threats has passed, so now it is time for International Women's Day—celebrated on March 8 every year. This is a great occasion to express love, respect, and kindness toward women and spammers will always attempt to take advantage of these events. The following is a spam campaign we have observed targeting International Women’s Day with a fake product promotion.

Often, spam originating from Russia will attack targets using online marketing promotions with odd phone numbers. Here, spammers targeted users by providing fake offers for great gifts for Valentine’s and International Women’s Day and also some peculiar phone numbers are provided for ordering a gift certificate.

The following is an example of the Russian spam observed by...

Symantec Security Response | 22 Feb 2013 18:18:54 GMT

Mandiant recently released a document containing indicators of compromise (IOCs) related to multiple espionage campaigns by a group known as the Comment Crew. Symantec has been actively tracking this group for six years while maintaining our own database of indicators. From our investigations we have collected thousands of indicators related to Comment Crew.

To help increase public awareness, we have decided to release hundreds of additional Comment Crew indicators to those already released. These are indicators that have been seen within the past year.

Symantec products already protect against the artifacts related to these indicators and many of these artifacts have already been shared with the security community.

You can find these indicators in the following paper:...

Hiroshi Shinotsuka | 22 Feb 2013 11:10:22 GMT

Regular readers of the Symantec blog may sometimes read blogs that mention a fraudulent file that is signed with a valid digital certificate or that an attacker signed their malware with a stolen digital certificate.

You may recall that the creators of Stuxnet, arguably the most notorious malware in history, signed it using the private keys of valid digital certificates of well-known companies.

Digital certificates are significant because a file with a digital certificate can be checked to see who authored it and to make sure it was not altered. Moreover, some versions of Windows display a dialog box when a file that has no digital signature is opened. If an attacker signs malware with the stolen private key from a digital certificate, Windows will execute the file in many cases, except if the file is downloaded from the Internet using a Web browser.

How does an...