Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for April of 2013
Showing posts in English
Hon Lau | 01 May 2013 04:17:08 GMT

In today’s connected world, many of us are members of at least one, if not more, social networking services. The influence and reach of social media enterprises, such as Facebook (more than 600M active users per month) and Twitter (more than 140M active users), is staggering and as communications tools they offer a global reach delivering almost instantaneous communications to huge multinational audiences. Social media is attractive for hacktivists because it is a forum for people on the Internet and where big discussions take place. Hijack a forum like this and you have an effective soapbox to get your message across. Hardly a day passes without news of another high profile breach by hacktivists and social...

Candid Wueest | 30 Apr 2013 05:38:39 GMT

Nearly every week now we can read about a data breach case somewhere, where millions of user accounts and potential other sensitive data has been compromised. Most people are not even shocked by such news anymore, as it is starting to become humdrum.

One of the most common attacks used in such breaches is an SQL injection. This attack has ranked first place on OWASPs Top 10 faults in Web applications for many years. There are several well-known methods to prevent SQL injections, but unfortunately it is still often encountered in productive sites. Furthermore, mis-configured Web servers and vulnerabilities in remote management tools can allow attackers to gain access to systems and read potentially sensitive files.

There has long been a heated discussion about how best to store passwords and that discussion is still ongoing. Most people agree that storing passwords in clear text...

Ashish Diwakar | 26 Apr 2013 21:25:07 GMT

Contributor: Avhdoot Patil

Phishers have recently gained a lot of interest in football. Various phishing attacks using football were observed in 2012. Phishers have already shown their interest in the 2014 FIFA World Cup, football celebrities, and football clubs. Scam for LIONEL MESSI Fans and Scam for FC Barcelona are good examples of phishers using football celebrities and football clubs. Fraudsters understand that choosing celebrities with a huge fan base offers the largest amount of targets which could increase their chances of harvesting user credentials. In April 2013, the trend continued with phishers using the same strategy. The phishing sites were in French on a free web hosting site.

The phishing sites prompted users to enter their Facebook login credentials on pages designed to...

Eric Park | 26 Apr 2013 17:57:25 GMT

Symantec has observed an increase in spam messages containing .pw top-level domain (TLD) URLs.  While it was originally a country code top-level domain for Palau, it is now available to the general public through Directi, who branded it as “Professional Web”.

pw tld blog 1.png

Figure 1. .pw TLD URL spam message increase

Looking back at the last 90 days, .pw ranked #16 on our TLD distribution list:

pw tld blog 2_0.png

Figure 2. TLD distribution list - last 90 days

However, the .pw URL jumps to the fourth spot when looking at the last 7 days:

Symantec Security Response | 26 Apr 2013 14:52:47 GMT

Join Symantec Security Response experts Kevin Haley and Paul Wood on Twitter (using the #ISTR hashtag) on Tuesday, April 30, at 9 a.m. PT / 12 p.m. ET to chat about the key trends highlighted in Symantec’s recently released Internet Security Threat Report (ISTR), Volume 18.

The ISTR, which covers the major threat trends observed by Symantec in 2012, reveals a significant increase in cyberespionage attempting to gain access to confidential information and valuable intellectual property, and shows how criminal methods of obtaining this information are shifting. In fact, the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees; 31 percent of all attacks targeted them, representing a threefold increase from 2011.

Mark your calendars to join the #ISTR chat and plan to discuss the latest attack vectors...

Hiroshi Shinotsuka | 26 Apr 2013 12:29:58 GMT

Recently, I discovered a back door Trojan horse program (detected as Backdoor.Trojan) that does not work on Microsoft Windows XP. I would like to present some of the details of this threat, especially as the malware author encoded a special trick into the functionality of the Trojan. The trick appears to have been designed to allow the threat be used in targeted attacks.

The fseek function

In this threat, the author uses the fseek function, which is unusual as it is normally used to process data. For example, if the program reads 100 bytes of data from the top of the file, the fseek function process is used to move the 100 bytes.


Figure 1. The fseek code trick used by the malware

However, in the...

Mathew Maniyara | 24 Apr 2013 18:22:36 GMT

Contributor: Avdhoot Patil

Phishers are not letting go of the chaos in Syria. They are using a common phishing template and modifying the messages. In March, phishers mimicked the same website of an organization in the Arab Gulf States observed in a previous phishing site. But instead of promoting the Syrian opposition, phishers impersonated the UN in a scheme meant to show support for the people of Syria. The phishing pages were in Arabic and the phishing site was hosted on servers based in Dallas, Texas, in the United States.

Just recently, phishers have tried to entice users by condemning the Syrian regime. Now, they are citing the Syrian President, Bashar al-Assad, in particular. The phishing site we observed contained a message in Arabic that asked users if they agreed with condemnation of the Syrian President as a war criminal. The message gave options...

Lionel Payet | 24 Apr 2013 14:56:40 GMT

Java vulnerabilities have always been popular among cybercriminals (exploit kits authors) since they can work across multiple browsers and even multiple operating systems, the potential for infecting large numbers of users is very high.

On April 16, Oracle released its Java Critical Patch Update (CPU) for April 2013 that addressed vulnerabilities found in numerous supported products. Interestingly, one of the vulnerabilities, CVE-2013-2423, was publicly disclosed the following day and this was closely followed by a Metasploit proof of concept on April 20.

It didn’t take long for exploit kit authors to adopt this openly available vulnerability. We are currently seeing cases of Cool EK using this new Java vulnerability and we expect this exploit to be rolled out to other exploit kits.


John-Paul Power | 23 Apr 2013 20:21:41 GMT

Small and medium enterprises (SMEs) in the UK are being offered up to £5,000 (approximately $7,600 USD) in order to improve their cybersecurity. The Innovation Vouchers scheme, being run by the government’s Technology Strategy Board, is designed to help businesses “innovate and grow” by funding outside expertise. The government has made available £500,000 ($762,600 USD) to SMEs that do not already have internal cybersecurity expertise and who are working with a new technology supplier for the first time.

Attacks targeted towards SMEs are on the increase. According to Symantec’s ...

Dinesh Theerthagiri | 22 Apr 2013 21:39:35 GMT

In the first quarter of 2013, we spotted quite a few zero-day vulnerabilities affecting Oracle Java, Adobe Flash, Adobe Reader, and Microsoft Internet Explorer being exploited in the wild. This blog discusses the details of these zero-days exploited to spread malware in the first quarter of 2013.

Java zero-day vulnerabilities


During the month of January 2013, we saw some interesting Oracle Java SE zero-day issues being actively exploited in the wild. On January 13, 2013, Oracle released a security alert for Oracle Java Runtime Environment Multiple Remote Code Execution Vulnerabilities (CVE-2013-...