Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Snapshot of Virut Botnet After Interruption
Symantec Security Response | 07 Jan 2013 21:41:41 GMT | 0 comments

In the past, we have written about the file infector known as W32.Virut. We have even provided insight into trying to shut the botnet down. Due to a recent judicial proceeding causing a temporary outage of the Virut command-and-control (C&C) server domains, we were able to gather information on the size and demographics of the botnet by predicting and sinkholing the random domain generator backup. Unfortunately the outage was only temporary, and Virut continues to remain active.
 

Hardcoded servers and domain generation

Among the C&C servers used by W32.Virut, the domains irc.zief.pl and proxim.ircgalaxy.pl are used by the threat in order to receive instructions. However,...

Read more
Malware Authors Create Android.Exprespam After Prosecutors Drop Case
Joji Hamada | 07 Jan 2013 15:34:52 GMT | 0 comments

In October 2012, the Tokyo Metropolitan Police arrested a group of five individuals for their involvement in developing and distributing Android malware that collected personal data, but that did not deter at least one group of scammers from doing the same as they continued to lure Android device owners to their malware. The Tokyo District Public Prosecutors Office then dismissed the case in December last year because it was unable to find enough evidence to prove that the five suspects were committing a crime. The dismissal has now led to the creation of yet another Android malware targeting Japanese Android device owners.

Symantec has identified new malware, which we detect as Android.Exprespam that collects personal data, such as the device owner’s phone number as well as names and email addresses, stored in Contacts on the compromised device.  Like previously...

Read more
Elderwood Project Behind Latest Internet Explorer Zero-Day Vulnerability
Symantec Security Response | 03 Jan 2013 22:25:35 GMT | 0 comments


 

In our recent blogs about the latest Internet Explorer zero-day vulnerability, we explained what watering hole attacks are and referenced our research paper about the Elderwood Project. The paper highlights a string of watering hole attacks by the Elderwood group. After revisiting those previous attacks, we have been able to confirm that this latest Internet Explorer zero-day is a continuation of the Elderwood Project.
 

...

Read more
Internet Explorer Zero-Day Used in Watering Hole Attack: Q&A
Symantec Security Response | 31 Dec 2012 21:38:44 GMT | 0 comments

In a recent blog, Symantec reported on a new Internet Explorer zero-day being actively exploited in the wild. Microsoft has since released Security Advisory 2794220 which confirms the Microsoft Internet Explorer 'CDwnBindInfo' Use-After-Free Remote Code Execution Vulnerability (CVE-2012-4792) is a zero-day vulnerability which affects Internet Explorer 8, Internet Explorer 7, and Internet Explorer 6.

The following Q&A briefly outlines what is known about the watering hole attack, the Internet Explorer zero-day, and the protection Symantec has in place.
 

What is a watering hole attack?

A watering hole attack is a method of targeting sites which are likely to be visited by targets of...

Read more
New Internet Explorer Zero-Day Used In Watering Hole Attack
Symantec Security Response | 30 Dec 2012 00:27:55 GMT | 0 comments

 

We have received multiple reports of a new Internet Explorer zero-day vulnerability being exploited in the wild. Initial reports indicate that the website used in these attacks belong to a U.S. based think-tank organization. The site was believed to be compromised and used to serve up the zero day exploit as part of a watering hole style attacks as far back as December 21st.
 
A flash file named today.swf was used to trigger the vulnerability in Internet Explorer. The flash file is detected as Trojan.Swifi and protection has been in place for our customers since December 21st. Further details and analysis will be provided soon.
 
We have carried out in-depth research into watering hole style attacks dating back to 2009. That research and analysis is contained in a paper named...
Read more
Ransomware: Extorting Money by Panic and Pressure
Jeet Morparia | 25 Dec 2012 00:18:58 GMT | 0 comments

We have blogged in the past about Ransomware being a growing menace and that ONE SHOULD NOT PAY RANSOM if affected. Ransomware has now raised its ugly head up once again. Writers of Trojan.Ransomlock.G (a.k.a. Reveton) have updated their locking screen to induce panic and to blackmail the user into paying ransom.

Recently, blogger Kafeine found a ransomware sample which threatens to format and wipe all the documents on the compromised system if the user attempts to unlock the computer manually.
 

...

Read more
Syrian Unrest Spurs Phishing Spell
Mathew Maniyara | 20 Dec 2012 23:17:48 GMT | 0 comments

Contributor: Avdhoot Patil

Phishers are known for incorporating current events into their phishing sites and never leaving any stone unturned. They are now capitalizing on the civil war in Syria. In December 2012, a phishing site spoofing a popular social networking site claimed to have a torture video of a prisoner in the Syrian prison, State Security Branch Khatib. Phishers compromised a legitimate domain based in the United Arab Emirates to host the phishing site. The phishing pages were in Arabic.

The title of the phishing site translated to “Liberal torture in the State Security Branch Khatib”. The site warned that the video contained scenes of violence and asked users for their permission before proceeding. After permission had been granted, users were prompted to enter their login credentials. The login credentials were allegedly required to confirm that the user was over 18 years of age. After the login credentials had been entered, the...

Read more
Trojan.Stabuniq Found on Financial Institution Servers
Fred Gutierrez | 20 Dec 2012 21:33:27 GMT | 0 comments

Contributor: Alan Neville

Almost a year ago we added detection for a low prevalence Trojan found on servers belonging to financial institutions, including banking firms and credit unions. The Trojan also compromised home computer users and computers at security firms. For easier identification and tracking we recently renamed this threat to Trojan.Stabuniq.
 

Figure 1. Trojan.Stabuniq distribution by type
 

Approximately half of unique IP addresses found with Trojan.Stabuniq belong to home users. Another 11 percent belong to companies that deal with Internet security (due, perhaps, to these companies performing analysis of the...

Read more
Pikspam: An SMS Spam Botnet
Symantec Security Response | 20 Dec 2012 00:07:18 GMT | 0 comments

The recent discovery of an Android SMS spam botnet by Cloudmark, which is detected by Symantec as Android.Pikspam, has gained media attention. While delivering spam by botnets is nothing new, mobile technology has opened up new attack vectors to cybercriminals who are using the proven attack techniques of social engineering and spam with success on mobile devices.

The attack consists of SMS messages advertising free versions of popular games, or possibly to inform you that you have won a prize. Unsuspecting victims who receive the text messages and follow the link can download a Trojanized app from a third-...

Read more
Fraudulent Facebook 2013 Demo
Mathew Maniyara | 19 Dec 2012 18:35:45 GMT | 0 comments

Fake applications offered by phishing sites continue to appear. In December 2012, a fake app was seen that was titled, “Facebook 2013 demo”. Social networking users in India were most likely targeted in this phishing attack because the phishing URL consisted of certain words in Hindi. The phishing site was hosted on a free Web-hosting site.

The phishing site spoofed the login page of Facebook and the page contents were altered to promote the fake application. A message in the phishing page stated that users could use their existing Facebook accounts to access the application and that they did not need to create a new account. Of course, such a message was added to the phishing page because phishers wanted users to enter their primary login credentials. Towards the right hand side of the phishing page there were instructions on how to access the application. The poorly worded phishing page explained the instructions in three steps, along with a note. The first two...

Read more