Threats targeting the Macintosh platform are much less common than those targeting Windows. The same can be said about video games, where Windows is the dominate platform of the two. Combining games and malware has happened before, but a Mac game performing malicious activities? That’s something relatively new.
Takashi Katsuki, one of our Tokyo engineers, came across just that today. The game looks to be a throw-back to the classic Space Invaders/Galaga style of games from the early 1980s. However, what brings this game into the realm of malicious code is that for every alien ship you destroy, the game deletes a file from your home directory.
I came across something interesting while chasing up a fake antivirus lead the other day. As we often do here when looking for new threats, I visited the malicious URL and ran through the standard steps to download and install the risk. (Video of the threat follows below.)
It was one of those run-of-the-mill fake codec sites. You go to a page to watch a video, only it tells you that you don’t have the correct codec to watch it. You’re prompted to install a “codec”, but then bam!—an unexpected antivirus scan starts running on your computer.
In this case, while I was presented with a typical installation routine, an error message appeared at the end. This is also not uncommon, often meant to make the user think the codec failed to install, which they might believe is why they still can’t watch the video afterwards.
What was interesting was that no fake security scan appeared afterwards. However, I noticed the all-too-familiar...
Rogue security software scams are everywhere these days. The numbers are quite staggering—over 250 distinct programs racking up 43 million installation attempts, according to our new Report on Rogue Security Software.
Still, when it comes down to functionality and code base, it’s more akin to a few people with really large wardrobes. There might be dozens of variations of the same underlying program, each receiving minor updates and a new software skin. They even use the same fake threat names when attempting to scam you—stuff like “Spyware.Monster” or “Spyware.IEmonster”.
Ultimately what we’re looking at is variety in graphic design rather than functional design. We’ve put together a video to show just that. Our report calls these threats Antivirus200X—a “family” of rogue security...
A lot can be said with 140 characters. It’s just enough to convey a point, but constricting enough to make things concise. No wonder microblogging sites such as Twitter have become so popular.
Unfortunately one of the limitations here is sharing Web pages with long URLs. In order to address this issue, URL-shortening utilities have grown in popularity on the site. Using such tools allows you to include a link well within the 140-character limit, which will redirect anyone who clicks it to the longer URL and thus the site you wanted to share.
There’s one downside here, from a security point of view—you’ll often have no idea where the link leads until you click it. Clicking any link like this is entirely a security leap of faith. Unfortunately malware authors have caught on to this and are currently distributing misleading applications using these shortened URLs. Using enticing tweets and commonly used twitter search terms, their goal is to get...
In Security Response, our primary objective is to provide virus definitions and firewall signatures to protect our customers from threats in the wild. On the flip side of the coin is Symantec’s Support organization, where we help customers install and configure their security software and, in cases where the worst has happened, help remove threats from a computer or network.
Symantec’s Support organization often receives requests to provide threat outbreak information. In some cases the request is for content aimed at a management level, detailing what their security teams have to do in these cases, which they could use to explain the situation at say, the next board meeting. In other cases the requests come from small business folks who are not necessarily IT or Security managers, but may be the office “computer guy/girl” put in charge of cleaning up an outbreak.
It can be difficult to comprehend what’s happening when a computer is...
It seems that the Downadup family of worms is gone but not forgotten. Or is it the other way around?
Media attention for Downadup has waned since early April. The last variant of the threat, W32.Downadup.E, included a “self-destruct sequence” effectively deleting itself as of May 3, 2009. Has the death toll for Downadup chimed, effectively moving it to the historical annals of malicious code?
Not in the least—Downadup is still very much alive and kicking around out there. While the threat is no longer spreading with the same fervor as it did at the beginning of the year, its infection numbers are not falling off as you would expect if we were looking at the cleanup period of a has-been threat. Let’s take a look at some rough data that we’ve collected here in Security Response.
For the last couple weeks, all’s been pretty quiet on the Downadup/Conficker front. While we’re still performing our ‘daily patrols’ here in Security Response, watching for signs of something new, quiet moments like this give us a chance to reflect on what has come to pass so far.
What we’ve discovered looking back is that there has been some confusion about the different Downadup variants—what each one does and how they interrelate. It’s not surprising, given that a feature present in one version is often absent in another. Some largely stand on their own, some install other risks, and others largely seem to exist in order to update their siblings. Try describing how each works and you’re likely to find yourself reminded of an Abbott and Costello routine.
In order to connect the dots between Downadup variants, we’ve developed a...
Earlier this week, researchers from the University of Toronto published a paper about a botnet called Ghostnet that had infiltrated a large number of computers located in various government agencies around the world. While smelling of espionage—the circumstantial evidence shows particular organizations were targeted—no solid evidence has linked the attack it to any one government organization.
However, there do appear to be a few hacker organizations actively involved in the development and dissemination of the toolset used to create the back door used in Ghostnet. This threat, named Backdoor.Ghostnet, can easily be created by just about anyone who can work their way around the toolset—and the toolset is built to be very easy to use. Just fill out a...
If you’re one of those people with a passing knowledge of Linux, you might see it as something used exclusively by network admins, developers, and hobbyists. What you may not realize is that these admins, devs, and hobbyists have taken this versatile OS and ported it to all sorts of devices over the years. While some of these ports were for fun (epitomizing the “because I could” attitude of many hardware enthusiasts), Linux slowly began to appear on everyday devices. Today you can find the operating system on anything from phones to cameras to PVRs. Even if you’re not a gadget geek, you may have Linux-embedded device yourself without even knowing it.
While this swell in usage is great news for open-source advocates, it also brings with it unwanted attention. As we’ve seen time and again—as software gains in popularity it becomes more of a target for malicious code. Over the last few months,...
How do you summarize the functionality of a threat like Downadup? It sounds like the sort of challenge taken up only by folks that can solve a Rubik’s Cube in 30 seconds or less. If someone asked me do so in a sentence, here’s how I’d do it:
“Yeah, right.”
Then again, I was that kid who solved his Rubik’s Cube with a screwdriver. Downadup isn’t one of those types of threats that lend themselves to an in-a-nutshell summary. It happens to be one of the most complex threats we’ve seen in the history of malicious code. Still, let’s give it another try:
“Downadup is a worm.”
True, but this glosses over so, so much. Third time’s the charm?
“Downadup is a worm that spreads by exploiting a vulnerability without DoSing the network with traffic (as well as removable and network drives, by bruteforcing network shares and...
Banning the use of removable drives may sound like a strict IT policy. But when faced with a worm introduced to your network by such devices, it is the sensible thing to do. Recently, the US Department of Defense has done just that in order to protect their networks from such threats.
As the use of removable drives has increased, they have become a successful vehicle to enter a network and compromise computers. The ease of infection is facilitated by a feature within Windows called AutoPlay. Meant as a feature of convenience, AutoPlay allows programs to automatically launch when CDs, DVDs, removable drives, or any other form of storage is inserted into a computer. However, this convenience comes at a serious security cost, as described in the following video:
So how do you protect yourself from such rapidly spreading threats? Banning the use of removable media does reduce...
Tell me if this sounds like a familiar scenario. You’ve come up with a brilliant password – it’s strong, easy to remember, and you’ve finally mastered the finger gymnastics required to type it in quickly – only to find that the usage window, mandated by IT password policy, is up. So you come up with a new one, double it, add 32, and then subtract the letters from your mother’s maiden name. Only now IT requires you to include at least two punctuation characters, but that just throws the logic of your method right off.
Password creation is a constant dance between security and convenience, where good passwords that bridge the gap are hard to come by. On the one hand, strong passwords, changed on a regular basis, do reduce the likelihood of success for a wide range of attacks. On the other hand, if you make something too complex, you run the risk of forgetting it–somewhat ironic evidence of its security.
We’ve all done foolish things for romance. The exhilaration of discovering a new partner is one of the more exciting feelings in the human experience. However, this flutter of emotions can also drive us to distraction—so much so that reason and logic are often thrown out at its height.
It seems the online scammers of the world have realized this, if phony romance scams are any testament. Such “phomance” scams can sometimes go on for months, as the scammer slowly wins over the victim’s trust. These schemes generally lead to a request for money, under the guise that the scammer plans to visit. Ultimately, the meeting never occurs, the money is gone, and the victim is quite possibly left with nothing but a broken heart.
Fortunately many such scammers aren’t clever enough to achieve this final result, often giving away clear indications that they aren’t who they say they are. But by keeping an eye out for a few telltale signs, it...
Four days after news of the recent Apple QuickTime vulnerabilitybegan to spread, a new proof-of-concept exploit, with a twist, has beenpublished. While the shell code in the previous exploit was containedwithin a malicious RTSP data stream, this time the shell code is sentvia JavaScript, separate from the stream.
Let’s break down how this might play out. A client requests a Webpage from a malicious site. The page that is sent contains maliciousshell code and a request for a QuickTime movie. If the client is usingInternet Explorer, the shell code is written to a heap area for lateruse. Meanwhile, the browser receives the QuickTime movie and then opensit with QuickTime, creating an RTSP stream to the malicious server.Only the RTSP server in this scenario is hosting a hacked version,which actually sends back a stream that...
I was recently reminded of a childhood gamemy friends and I used to play in the forests near where I grew up. I’dstand near the edge of the tree line, holding a burlap sack, while myfriends snuck into the underbrush looking for snipes.You had to be really quiet, see, because those critters would scareeasily. You had to have patience too; sometimes you’d be standing therefor hours in your snipe-catching crouch. On more than one occasion itseemed my friends got lost in their hunt, and as dusk turned intoevening, I’d have to head home empty-handed, before my parents startedwondering where I was.
I was a gullible kid.
In much the same way, many people these days are being misled bymessages they receive about threats on their computer. But where theworst that came of our snipe-hunting adventures was wariness of what myfriends would tell me, believing these messages can...
