Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response
Showing posts for August of 2013
Showing posts in English
Joji Hamada | 30 Aug 2013 07:56:51 GMT

Shortcut files have recently become a common vehicle used in targeted attacks to deliver malware into organizations. Symantec has observed a variety of ways shortcut files are being used to penetrate networks, such as the one described in a previous blog. We recently came across another example of how this file type is being used in an attempt to evade detection by security products and trick email recipients into executing attachments. In this variation, an email with disassembled malware attached is sent to a recipient along with a shortcut file used to reassemble the malware.

The email used for this attack included an archive file as an attachment containing a shortcut file with an icon of a folder along with a real folder containing a Microsoft document file and two hidden files with .dat file extensions.

...

Nick Johnston | 29 Aug 2013 08:24:31 GMT

As the international community coordinates its response to the deepening crisis in Syria, scammers have once again demonstrated their skill at using current, high-profile events to their advantage. We have previously covered these methods in regards to Egypt, Libya, and the Rugby World Cup.

We recently identified a scam message that claimed to be from The Red Cross. The message explains how the conflict is creating a humanitarian crisis and urges people to support The Red Cross and The Red Crescent.

SyriaScam.png

Curiously, the email includes a link to the actual British Red Cross...

Symantec Security Response | 28 Aug 2013 07:00:30 GMT

In April 2013, the administrative assistant to a vice president at a French-based multinational company received an email referencing an invoice hosted on a popular file sharing service. A few minutes later, the same administrative assistant received a phone call from another vice president within the company, instructing her to examine and process the invoice. The vice president spoke with authority and used perfect French. However, the invoice was a fake and the vice president who called her was an attacker.

The supposed invoice was actually a remote access Trojan (RAT) that was configured to contact a command-and-control (C&C) server located in Ukraine. Using the RAT, the attacker immediately took control of the administrative assistant’s infected computer. They logged keystrokes, viewed the desktop, and browsed and exfiltrated files. 

These tactics, using an email followed up by a phone call using perfect French, are highly unusual and are a sign of...

Masaki Suenaga | 22 Aug 2013 20:31:29 GMT

We have been fighting the W32.Changeup family of worms for a long time and have written about it many times
 

image1_10.png

Figure 1. W32.Changeup prevalence
 

One characteristic of W32.Changeup is that it is written in Microsoft Visual Basic 6.0 and the viral part of its program code is seen in the program file, but it may appear to be obfuscated. However, for the first time in W32....

Flora Liu | 21 Aug 2013 10:25:27 GMT

Although ransomware has become an international problem, we rarely see Chinese versions. Recently, Symantec Security Response noticed a new type of ransomlock malware that not only originates from China but also uses a new ransom technique to force users into paying to have their computers unlocked.

This threat is written in Easy Programming Language and is spread mostly through a popular Chinese instant messaging provider. Once a computer is compromised, the threat changes the login credentials of the current user and restarts the system using the newly created credentials. The login password is changed to “tan123456789” (this was hardcoded in the sample we acquired) but the malware author may update the threat and change the password. The account name is changed to “contact [IM ACCOUNT USER ID] if you want to know the password” (English translation)so that once the computer has restarted, and the user is unable to log in, they will see the account...

Ross Gibb | 20 Aug 2013 23:50:30 GMT

ZeroAccess has always distributed its malicious payloads to infected computers using a peer-to-peer protocol. The use of a peer-to-peer protocol removes the need to maintain centralized command-and-control (C&C) servers to distribute malicious payloads. In 2011, ZeroAccess’ peer-to-peer protocol communicated over TCP, but in the second quarter of 2012 the protocol was modified to use UDP. This was the last significant update to the ZeroAccess peer-to-peer protocol until June 29, 2013.

Symantec has been closely monitoring the ZeroAccess peer-to-peer networks since its discovery. On June 29, 2013, we noticed a new module being distributed amongst ZeroAccess peers communicating on the UDP-based peer-to-peer network that operates on ports 16464 and 16465. ZeroAccess maintains a second UDP-based network that operates on ports 16470 and 16471. ZeroAccess peers communicate to...

Satnam Narang | 20 Aug 2013 18:42:39 GMT

Instagram, the popular photo and video sharing service acquired by Facebook, is often a target for spam and scams, some of which we have written about over the past year. This week, a friend shared an in-stream advertisement for a program called Instagram for PC on his Facebook timeline. This application claims to run Instagram in an emulator, so that PC users can access the service without a phone.
 

Instascam 1 edit.png

Figure 1. Instagram for PC website
 

When trying to download a copy of Instagram...

Christopher Mendes | 19 Aug 2013 19:36:42 GMT

Contributor: Sujay Kulkarni

image1_9.png

The Ashes Test cricket series, one of most popular Test series in cricket, is played between England and Australia. It is played alternately in England and Australia and is the oldest test rivalry between these two sides. Cricket fans are glued to the TV and their online devices to watch this riveting series.

In the current Ashes series England is leading 3-0 and is on the cusp of creating history against Australia—if they beat them hands down in the last test match, which now is a real possibility. However, what is making the rounds is not Scholes, Carrick, or Robin Van Persie, but Captain Cook and his elite squad waiting to steamroll Australia.

This...

Santiago Cortes | 14 Aug 2013 14:18:51 GMT

Contributor: Lionel Payet

Political news has always been one of the top topics used in targeted attacks. Last week we came across unique malicious emails targeting high-profile companies in Europe and Asia (in sectors such as finance, mining, telecom, and government). The payload is an updated version of a Java remote access tool (RAT) detected as Backdoor.Opsiness, also known as Frutas RAT.

Fig1_2.png

Figure 1. Frutas RAT logo

Frutas RAT is not new and has been around for quite some time now. Back in February we released a blog about this: Cross-Platform Frutas RAT Builder and Back Door.

The crafted emails used in...

Symantec Security Response | 13 Aug 2013 23:47:38 GMT

There’s been a lot of confusion over the last few days, since bitcoin.org announced that an Android component responsible for generating secure random numbers contained a critical weakness that rendered many Android bitcoin wallets vulnerable.

There are a number of different issues that seem to have come into play to make these bitcoin wallets vulnerable.

Bitcoin uses the ECDSA algorithm to ensure that funds can only be spent by their rightful owners. The algorithm requires a random number to compute an ECDSA signature, but if two different messages are signed with the same private key and the same random number, the private key can be derived. This is a known method of attacking the algorithm and was previously used to break the...