Video Screencast Help
Security Response
Showing posts for November of 2013
Showing posts in English
Symantec Security Response | 30 Nov 2013 01:35:12 GMT

On November 27, Microsoft issued a security advisory regarding the recent discovery of a zero-day vulnerability in a kernel component of Windows XP and Windows Server 2003. The advisory states that the Microsoft Windows Kernel 'NDProxy.sys' Local Privilege Escalation Vulnerability (CVE-2013-5065) can allow an attacker to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers.

Symantec is aware of the attacks attempting to exploit the vulnerability and confirms the attacks have been active since the beginning of November. The attack arrives as a malicious PDF file with file names such as syria15.10.pdf or Note_№107-41D.pdf, likely by an email attachment, although there is a possibility that targeted users are being enticed to download the malicious file from a...

Candid Wueest | 27 Nov 2013 17:39:15 GMT

In Switzerland, a judge sentenced a young man to pay a fine for a comment he made on a social network. According to news reports, he felt he didn’t receive a sufficient number of birthday congratulations from his 290 friends on the social network. He posted a comment that roughly translates to, “Is no one happy about my birthday? (…) I am going to destroy you all, you will regret it, now no one can protect you… pow pow pow.” He later explained that it was obviously meant as a sarcastic comment and not intended as a death threat. The judge did not see the humor in the comment and sentenced him to pay a fine.

This is just the most recent case of many alleged fake threats that have been posted this year. Others have received much higher penalties, like a teenager in Texas who spent...

Kaoru Hayashi | 27 Nov 2013 11:53:48 GMT

Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes, and security cameras. Although no attacks against these devices have been found in the wild, many users may not realize they are at risk since they are unaware they own devices that run Linux.

The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP 'php-cgi' Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the...

Laura O'Brien | 26 Nov 2013 09:10:44 GMT
Contributor: Vivek Krishnamurthi
cyber_monday_graphic.png
 
December 2, 2013 marks Cyber Monday, the day when Internet retailers expect to experience a major surge in traffic thanks to people shopping online for the holiday season. The concept of Cyber Monday, or Mega Monday as it’s known in Europe, was introduced back in 2005. It takes place after the Thanksgiving holiday weekend, when people return to the office and buy Christmas presents from their work computers, according to retailers. Some dismissed Cyber Monday as marketing hype but over time, the day has grown in significance, thanks to competitive deals on offer from many major retailers. In 2012, the 500 biggest retailers in the US took more than US$206.8 million on Cyber Monday while in Europe,...
Symantec Security Response | 25 Nov 2013 16:26:59 GMT
In a previous blog, Symantec reported a new Ichitaro zero-day vulnerability known as the Multiple Ichitaro Products Unspecified Remote Code Execution Vulnerability (CVE-2013-5990). This flaw was being actively exploited in the wild, but the exploit was not properly working to compromise computers. A week after that, we confirmed a working exploit in multiple incidents which is actually capable of infecting targeted computers with a back door used typically in targeted attacks. The format of the file used to exploit the vulnerability, as was the case in previous attacks, is a rich text format which targets the word processing software Ichitaro, developed by Justsystems.
 
In the earlier cases where the exploit was unsuccessful, variants of...
Santiago Cortes | 25 Nov 2013 09:17:33 GMT
Back in 2012, a key player involved with the prominent Remote Administration Tool (RAT) known as Blackshades RAT was reportedly arrested. Despite his alleged arrest, and with its code leaked in 2010, the tool is still being sold and used in cybercriminal activity. Symantec Security Response has noticed that the use of the RAT has increased over the last five months.
 
Blackshades RAT, detected by Symantec products as W32.Shadesrat, will gather passwords and credentials from infected systems, sending them back to the malicious command-and-control (C&C) server. This increase in activity prompted us to investigate the main C&C servers that manage the latest infections. Upon investigation, we found a connection to the...
Binny Kuriakose | 22 Nov 2013 09:42:44 GMT

Contributor: Vivek Krishnamurthi

The holiday season starts in the United States on Thanksgiving on November 28 preceding Black Friday, which occurs on November 29. This also marks the beginning of the much awaited shopping season when people take to the streets to celebrate the shopping furor with their family and friends. The shopping buzz is fuelled by discount sales and promotional offers by online sites and retailer outlets.

With online commerce growing by the day, spammers may take advantage of the holiday season to target shoppers. The spammers usually send out fake promotional messages and bogus deals and lie in wait for any victims who are tricked by these scams. Symantec has been on the lookout for signs of such messages to warn the public on what to avoid this holiday season.

We found the most popular spamming techniques, which topped our chart early this holiday season 

Products offered at discounts never seen before...

Symantec Security Response | 22 Nov 2013 00:12:26 GMT

Fake AV 1 edit.png

Contributor: Joseph Graziano

A new clever way of social engineering spam is going around today that attempts to trick users into running malware on their computers. The methods malware authors are using include emails pretending to be from various antivirus software companies with an important system update required to be installed by the end user, along with attaching a fake hotfix patch file for their antivirus software. The email plays on end user concern over the lack of detection, especially in the face of the latest threats showcased in the media recently, such as the Cryptolocker Trojan. This type of social engineering entices users to open and install the hotfix without using much discretion as...

Takashi Katsuki | 20 Nov 2013 16:42:05 GMT

Symantec has discovered a new back door worm-type threat which targets servers running Apache Tomcat. This threat is a little different from the ones we usually encounter every day.

Back door type Trojan horses and worms let attackers execute various commands on compromised computers and essentially enable the attacker to control a computer remotely. This means that important information can be stolen from the user and their computer could be used to attack other victims.

You may think that this type of attack only targets personal computers, such as desktops and laptops, but unfortunately that isn’t true. Servers can also be attacked. They are quite valuable targets, since they are usually high-performance computers and run 24x7. We often see back door type Trojans that are written in PHP, such as PHP.Backdoor.Trojan. This time around though, Symantec has found...

Christopher Mendes | 20 Nov 2013 05:37:33 GMT

Tacloban, the new ground zero created by Haiyan, is the raison d'être for a large directory harvest attack (DHA) launched by spammers today.

A DHA attack is launched to check the validity of an email directory or emails related to a targeted email server. The aim of this is to collect intelligence and prepare a platform to launch a large spam campaign on that particular site once a database is put in place. Rejected emails return as bounce or non-delivery report/receipt (NDR) and the rest is concluded as legit, while valid emails will soon be bombarded with a host of spam, phish and malware laden email attacks.

The attack is launched, with the spammer claiming to be from a reputed mass media and communications company on a very large Internet site and service provider, for the sole purpose of harvesting and validating email addresses.

The email’s structure is very simple. The headers and body content of the said attack are taken from a...