Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for March of 2014
Showing posts in English
Symantec Security Response | 31 Mar 2014 14:41:18 GMT

On the back of Cryptolocker’s (Trojan.Cryptolocker) perceived success, malware authors have been turning their attention to writing new ransomcrypt malware. The sophisticated CryptoDefense (Trojan.Cryptodefense) is one such malware. CryptoDefense appeared in late February 2014 and since that time Symantec telemetry shows that we have blocked over 11,000 unique CryptoDefense infections. Using the Bitcoin addresses provided by the malware authors for payment of the ransom and looking at the publicly available Bitcoin blockchain information, we can estimate that this malware earned cybercriminals over $34,000 in one month alone (according to Bitcoin value at time of writing).

Imitation is not...

Symantec Security Response | 31 Mar 2014 03:48:11 GMT

Symantec has observed the growth of indigenous groups of attackers in the Middle East, centered around a simple piece of malware known as njRAT. While njRAT is similar in capability to many other remote access tools (RATs), what is interesting about this malware is that it is developed and supported by Arabic speakers, resulting in its popularity among attackers in the region.

The malware can be used to control networks of computers, known as botnets. While most attackers using njRAT appear to be engaged in ordinary cybercriminal activity, there is also evidence that several groups have used the malware to target governments in the region.

Symantec analyzed 721 samples of njRAT and uncovered a fairly large number of infections, with 542 control-and-command (C&C) server domain names found and 24,000 infected computers worldwide. Nearly 80 percent of the C&C servers...

Satnam Narang | 26 Mar 2014 08:37:40 GMT

In late January this year, eager fans purchased tickets for Coachella, an annual two-weekend, three-day music festival but were later targeted by scammers in a phishing campaign that persisted up till the end of February.

Front Gate Tickets, the company responsible for handling the festival’s ticketing had sent an email to ticket buyers at the end of February warning users on the phishing campaign stating:

“The phishing involved a fraudulent website designed to look like the login page for Coachella ticket buyers to access their Front Gate accounts, built in an attempt to capture username and password information.”

The email went on to explain that the phishing links were circulated on message boards and email campaigns, and that the perpetrators had harvested the email addresses of ticket buyers who posted them publicly on message...

Symantec Security Response | 25 Mar 2014 12:25:44 GMT

Microsoft posted a security advisory today for a newly discovered, unpatched vulnerability affecting Microsoft Word. An attacker could take advantage of the Microsoft Word Remote Memory Corruption Vulnerability (CVE-2014-1761) to gain remote access to the targeted computer. The advisory indicates that the vulnerability was exploited in limited, targeted attacks. 

Users should not only be cautious about opening unknown RTF documents, but they should also avoid previewing these files in Outlook, as doing so could let the attackers exploit the vulnerability. Be aware that the default viewer for RTF documents attached to emails in several versions of Outlook is Microsoft Word. 

While patches have not yet been made available, users can apply several workarounds to minimize the risk of exploitation. Microsoft...

Daniel Regalado | 24 Mar 2014 12:57:46 GMT


There is a growing chorus of voices calling for businesses and home users to upgrade existing Windows XP installations to newer versions of Windows, if not for the features, then at least for the improved security and support. ATMs are basically computers that control access to cash, and as it turns out, almost 95 percent of them run on versions of Windows XP. With the looming end-of-life for Windows XP slated for April 8, 2014, the banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet. This risk is not hypothetical — it is already happening. Cybercriminals are targeting ATMs with increasingly sophisticated techniques. 

In late 2013, we...

Symantec Security Response | 20 Mar 2014 12:59:29 GMT

Last year, security reporter Brian Krebs discovered that a group of attackers managed to compromise multiple companies, steal sensitive customer data and sell the details through an online identity theft store known as SSNDOB. The attackers broke into the networks of a number of major consumer and business data aggregators as well as a software development firm. Krebs revealed that the attackers then put the stolen data for sale on SSNDOB, allowing their customers to buy personal details belonging to US and UK citizens.

Symantec looked into the attacks conducted by the group behind SSNDOB, who we call the Cyclosa gang. During our investigations, we managed to identify one of the owners of the service who claims in online forums to be Armand Arturovich Ayakimyan, a 24-year-old man from Abkhazia. As we looked further into this case, we learned how he started as a...

Kaoru Hayashi | 19 Mar 2014 12:58:54 GMT


Last November, we found an Internet of Things (IoT) worm named Linux.Darlloz. The worm targets computers running Intel x86 architectures. Not only that, but the worm also focuses on devices running the ARM, MIPS and PowerPC architectures, which are usually found on routers and set-top boxes. Since the initial discovery of Linux.Darlloz, we have found a new variant of the worm in mid-January. According to our analysis, the author of the worm continuously updates the code and adds new features, particularly focusing on making money with the worm.

By scanning the entire Internet IP address space in February, we found that there were more than 31,000 devices infected with Linux.Darlloz.

Coin mining
In addition, we have discovered the current...

Symantec Security Response | 18 Mar 2014 22:56:52 GMT

Security researchers have released a paper documenting a large and complex operation, code named “Operation Windigo”. Since the campaign began in 2011, more than 25,000 Linux and Unix servers were compromised to steal Secure Shell (SSH) credentials, to redirect Web visitors to malicious content, and to send spam. Well-known organizations such as cPanel and Linux Foundation were confirmed victims. Targeted operating systems include OS X, OpenBSD, FreeBSD, Microsoft Windows, and various Linux distributions. The paper claims Windigo is responsible for sending an average of 35 million spam messages on a daily basis. This spam activity is in addition to more than 700 Web servers currently redirecting approximately 500,000 visitors per day to malicious content.

The paper lists three main malicious components (ESET detection names):

  • Linux/Ebury – an OpenSSH backdoor used...
Nick Johnston | 13 Mar 2014 18:14:34 GMT

We see millions of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users.

The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link.

Of course, the link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown:


Figure. Google Docs phishing login page

The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in...

Symantec Security Response | 12 Mar 2014 11:16:35 GMT
On Tuesday, Microsoft released its security updates for Microsoft Patch Tuesday, which included the much needed update to address a zero-day vulnerability affecting Internet Explorer 9 and 10. The exploit for the Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322) was originally used in targeted attacks, but it caught on among average cybercriminals. As a result, the exploit currently affects Internet users in general.
In this month’s Patch Tuesday, Microsoft covered another Internet Explorer zero-day vulnerability, which is being exploited in the wild. This flaw is known as the...