Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Waledac Gets Cozy with Virut
Denis Carmody | 14 Jan 2013 22:53:52 GMT

Recently, we blogged about the file-infector virus known as W32.Virut and the botnet’s return to distributing new payloads. In the blog, we estimated that the Virut botnet currently consists of 308,000 unique Virut clients active in a single day. It was also noted that Virut had been observed distributing payloads with the functionality to send out email spam for advertisements and fraud as well as other malicious purposes.

During our further analysis of recent Virut samples, we observed the virus downloading a botnet variant named Waledac (also know Kelihos), which Symantec detects as W32.Waledac.D. The ...

Read more
Android.Exprespam Authors Revamp Gcogle Play to Android Express’s Play
Joji Hamada | 14 Jan 2013 17:00:37 GMT

When Android.Exprespam was discovered earlier this month, we quickly posted a blog warning users about the malware and discussing the details of the attack. Word spread quickly as the media, as well as the local authorities, pushed the news out to a wide audience. It seems like the scammers thought the news had reached enough people and that it was time they updated the malware and the fake market in order to start their attack afresh with new content that people are not familiar with.

The new fake market is called ANDROID EXPRESS’s PLAY (ANDROID EXPRESSのPLAY in Japanese). According to the site, it is maintained by Gcogle.

...

Read more
Additional Protection for Recent Java Zero-Day
Symantec Security Response | 13 Jan 2013 23:32:45 GMT

Security Response recently blogged about the Java zero-day that is active in the wild and being distributed by the Cool Exploit Kit. In addition to Cool Exploit Kit, we are aware that several other major exploit kits such as Blackhole, Redkit, and Impact are also equipped to exploit this unpatched vulnerability.

Symantec Security Response is currently detecting JAR files served up by the various exploit kits as Trojan.Maljava and we have further protection in place with Trojan.Maljava!gen26.

Additionally, Symantec has released the following IPS signatures to proactively block the malicious JAR files and associated exploit attempts:

  • ...
Read more
Java Zero-Day Dished Up from Cool Exploit Kit
Symantec Security Response | 10 Jan 2013 19:04:53 GMT

The use of zero-day exploits in attacks has not been too far from the headlines of late. Today, Kafeine from Malware don't need Coffee has released a blog detailing yet another Java zero-day—Oracle Java Runtime Environment Unspecified Remote Code Execution Vulnerability (CVE-2013-0422)—active in the wild and distributed through the Cool Exploit pack. The good news, however, for Symantec customers who use our intrusion prevention signature (IPS) technology, is that Symantec proactively blocked the JAR file containing the exploit from the Cool Exploit Kit with IPS signature...

Read more
Downloader.Ponik Seeks Long Term Relationship
Satnam Narang | 09 Jan 2013 18:52:48 GMT

Contributor: Jeet Morparia

Online dating is big business. In 2012, 40 million people visited or used an online dating site in the United States. According to some statistics, the online dating industry is worth over $1 billion dollars. Others say it is worth over $3 billion globally. The fact is that online dating is a lucrative industry, so it should come as no surprise that it is also on the radar for cybercriminals.
 

Figure 1. Downloader.Ponik spam campaign world map
 

One of the most recent malicious spam campaigns we...

Read more
W32.Extrat: Syrian Conflict Used To Deliver Xtreme RAT
Satnam Narang | 08 Jan 2013 18:07:10 GMT

Contributor: Jeet Morparia
 

As conflict in Syria continues, email attacks against various organizations throughout the Middle East and Europe have also been identified.
 

Figure 1. Sample email used in this campaign from “Free Dom” (Freedom)
 

The targeted organizations are extensive, from individuals at a public university, to hotels, oil companies, and government agencies.

Recipients of these emails are presented with text in Arabic. The email (Figure 1) claims to be an important message from Sheikh Adnan al-Aroor, a figure in opposition to the current Syrian government. The email includes a .zip file attachment, which contains a .lnk (shortcut) file.

In the past, we have...

Read more
Microsoft Patch Tuesday - January 2013
Candid Wueest | 08 Jan 2013 17:24:26 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 12 vulnerabilities. Three of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the January releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Jan

The following is a breakdown of the...

Read more
Android.CoolPaperLeak—Million Download Baby
Lionel Payet | 08 Jan 2013 12:12:56 GMT

Contributor: Cathal Mullaney

While the use of erotic images to entice users to infect their computer with malware and security risks is nothing new, Symantec recently discovered three apps that pose a security risk (using this carrot and stick technique) available on Google Play that have accumulated between 500,000 and 1,500,000 downloads between them.

The apps in question, "Porn Sexy Models Wallpaper", "Porn Sexy Girls Live Wallpaper", and "Sexy Girls Ass Live Wallpaper", have since been removed from Google Play.

Figure 1. Screenshot of the security risks on Google Play

After a thorough investigation, we can confirm that all three apps (from the same developer) were not a modified version of a genuine and safe app, but were a risk from the beginning....

Read more
Snapshot of Virut Botnet After Interruption
Symantec Security Response | 07 Jan 2013 21:41:41 GMT

In the past, we have written about the file infector known as W32.Virut. We have even provided insight into trying to shut the botnet down. Due to a recent judicial proceeding causing a temporary outage of the Virut command-and-control (C&C) server domains, we were able to gather information on the size and demographics of the botnet by predicting and sinkholing the random domain generator backup. Unfortunately the outage was only temporary, and Virut continues to remain active.
 

Hardcoded servers and domain generation

Among the C&C servers used by W32.Virut, the domains irc.zief.pl and proxim.ircgalaxy.pl are used by the threat in order to receive instructions. However,...

Read more
Malware Authors Create Android.Exprespam After Prosecutors Drop Case
Joji Hamada | 07 Jan 2013 15:34:52 GMT

In October 2012, the Tokyo Metropolitan Police arrested a group of five individuals for their involvement in developing and distributing Android malware that collected personal data, but that did not deter at least one group of scammers from doing the same as they continued to lure Android device owners to their malware. The Tokyo District Public Prosecutors Office then dismissed the case in December last year because it was unable to find enough evidence to prove that the five suspects were committing a crime. The dismissal has now led to the creation of yet another Android malware targeting Japanese Android device owners.

Symantec has identified new malware, which we detect as Android.Exprespam that collects personal data, such as the device owner’s phone number as well as names and email addresses, stored in Contacts on the compromised device.  Like previously...

Read more