Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Malware Attacks Targeting Hugo Chavez’s Death
Carlos Mejia | 08 Mar 2013 09:47:56 GMT

Rumors of Venezuelan President Hugo Chavez’s death were rampant on the news and Internet over the past month, and last Tuesday, the Venezuelan Vice President confirmed that Chavez died after a two year battle with cancer. Chavez’s death has triggered reactions worldwide, from world leaders to ordinary citizens, and everyone is talking about his ideas and actions as Venezuelan President. At the same speed as the news is spreading, cybercriminals are using this opportunity to send malicious links related to his death as well as hypothetical theories about the cause of his sickness and death.

All the links that we have seen contain malware. Some domains have been registered recently and others seem to have been hijacked.

Here is an example email used in these attacks:

The following URLs are the malicious links that we...

Read more
Phishers Target Myanmar with Wut Hmone Shwe Yee
Mathew Maniyara | 07 Mar 2013 00:51:04 GMT

Contributor: Avdhoot Patil

Phishers have already made their mark in Southeast Asia by targeting Indonesians. For the past couple of years, celebrities have been their key interest in the region. Aura Kasih and Ahmad Dhani are good examples. In March 2013, phishers turned their attention toward Myanmar by incorporating model and actress Wut Hmone Shwe Yee in a phishing site.

The phishing site spoofed a popular social networking site in order to ask for user login credentials. The phishing page was in Burmese. The background image contained a photograph of Yee from her recent modeling photo shoot. The phishing site stated that users can learn more about the model after logging into the social networking site. Phishers even...

Read more
Latest Java Zero-Day Shares Connections with Bit9 Security Incident
Symantec Security Response | 01 Mar 2013 16:13:08 GMT

Symantec recently received information on a new Java zero-day, Oracle Java Runtime Environment CVE-2013-1493 Remote Code Execution Vulnerability (CVE-2013-1493).  The final payload in the attack consisted of a DLL file, detected by Symantec as Trojan.Naid, which connects to a command-and-control (C&C) server at 110.173.55.187. 

Interestingly, a Trojan.Naid sample was also signed by the compromised Bit9 certificate discussed in the Bit9 security incident update and used in an attack on another party.  This sample also used the backchannel communication server IP address 110.173.55.187.   

The Trojan.Naid attackers have been extremely persistent and have shown their sophistication in multiple attacks.   Their...

Read more
Fake Antivirus Renewal Email Rises from the Dead
Symantec Security Response | 01 Mar 2013 09:53:26 GMT

Over the last few years, many reports, white papers, and blogs have been released detailing targeted attacks. For example, some attacks employ sophisticated infection methods, such as watering hole attacks, and some rely on exploit code hidden in document files mixed with social engineering schemes. Some time ago, when the malware world was still dominated by mass-mailing worms that used fake emails as the infection method, one of the schemes was a fraudulent license renewal notification from well-known antivirus vendors.

Some may think that this scheme had become extinct but we saw evidence recently that it is still alive and kicking when an email was sent to an electric power company and a major industrial company in Japan.

Figure 1. Fake antivirus...

Read more
Fake Adobe Flash Update Installs Ransomware, Performs Click Fraud
Val S | 27 Feb 2013 17:07:42 GMT

Adobe Flash is one of the most widely distributed products on the Internet. Because of its popularity and global install base, it is often a target of cybercriminals. Cybercriminals are using social engineering methods to distribute their malware through fake Flash update sites, often compelling unsuspecting users, who may be in need of a software update, to unknowingly install malware.

Recently, we came across the following site masquerading itself as an Adobe Flash Player update page:

http://16.a[REMOVED]rks.com/adobe/
 

Figure 1. Fake Adobe Flash update page
 

The attacker has created what appears to be a rather convincing landing page; however, there are a few inconsistencies. Most of the links resolve back to the attacking domain and all of the links within...

Read more
As Russians Ready for Fatherland Day, Spammers Take Advantage
Evan liu | 27 Feb 2013 05:20:56 GMT

Major events and holidays have always been a time for celebrations. Unfortunately, it also attracts unscrupulous spammers searching to make a quick offer. Symantec observes that spam email usually spikes in conjunction with these holidays.

One such occasion is Defender of the Fatherland Day observed on February 23, which is a Russian holiday in countries of the former Soviet Union, such as Belarus and Tajikistan. Aside from parades and processions in honor of veterans, it is also customary for women to give small presents to men in their lives, such as fathers, husbands, and co-workers. Consequently, the holiday is often referred to as Men's Day.

As such, most spam emails revolve around souvenirs, small gifts, and even men’s medicine such as Viagra. Below is an example of some of these emails:

Subject: Волшебные подарки на 23 февраля
Translation: Magical gifts for February 23

...

Read more
Stuxnet 0.5: The Missing Link
Symantec Security Response | 26 Feb 2013 17:40:00 GMT

In July 2010, Stuxnet, one of the most sophisticated pieces of malware ever written, was discovered in the wild. This complex malware took many months to analyze and the eventual payload significantly raised the bar in terms of cyber threat capability. Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure. The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now.

Symantec Security Response has recently analyzed a sample of Stuxnet that predates version 1.001. Analysis of this code reveals the latest discovery to be version 0.5 and that it was in operation between 2007 and 2009 with indications that it, or even earlier variants of it, were in operation as early as 2005.

Key discoveries found while analyzing Stuxnet 0.5:

  • Oldest variant of Stuxnet ever found...
Read more
Stuxnet 0.5: Disrupting Uranium Processing at Natanz
Symantec Security Response | 26 Feb 2013 17:40:00 GMT

When Symantec first disclosed details about how Stuxnet affected the programmable logic controllers (PLCs) used for uranium enrichment in Natanz, Iran, we documented two attack strategies. We also noted that the one targeting 417 PLC devices was disabled. We have now obtained an earlier version of Stuxnet that contains the fully operational 417 PLC device attack code.

After painstaking analysis, we can now confirm that the 417 PLC device attack code modifies the state of the valves used to feed UF6 (uranium hexafluoride gas) into the uranium enrichment centrifuges. The attack essentially closes the valves causing disruption to the flow and possibly destruction of the centrifuges and related systems. In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values...

Read more
Stuxnet 0.5: How It Evolved
Symantec Security Response | 26 Feb 2013 17:40:00 GMT

Introduction

Stuxnet stores a version number within its code. Analysis of this code reveals the latest discovery to be version 0.5. Based on website domain registration details, Stuxnet 0.5 may have been in operation as early as 2005. The exact date this version began circulating in the wild is unclear. What is known is that the date this early variant stopped compromising computers was July 4, 2009—just 12 days after version 1 was created.
 

Table 1. Known Stuxnet variants, based on main module PE timestamps
 

This blog focuses on the Stuxnet timeline, how Stuxnet 0.5 fits into the attack timeline, and its evolution to Stuxnet version 1.
 

Evolution

Stuxnet 0.5 is...

Read more
Stuxnet 0.5: Command-and-Control Capabilities
Symantec Security Response | 26 Feb 2013 17:40:00 GMT

Similar to Stuxnet 1.x versions, Stuxnet 0.5 has limited command-and-control (C&C) ability. In particular, Stuxnet 0.5 does not provide fine-grained control to its authors. Instead, Stuxnet 0.5 can only download new code and update itself. Stuxnet needs to spread on isolated networks and therefore has been designed to be autonomous, reducing the need to have robust and fine-grained C&C ability. Stuxnet 0.5 also uses a secondary peer-to-peer mechanism in order to propagate code updates to peers on networks inaccessible to the broader Internet.

Stuxnet 0.5 has four C&C servers, all of which are now either unavailable or have since been registered by an unrelated party.

Interestingly, Stuxnet 0.5 is programmed to stop contacting the C&C server after January 11, 2009, even though the threat is programmed to stop spreading several months later after July 4, 2009.

The C&C server domains were created in 2005 and all displayed the same front page...

Read more