Video Screencast Help
Security Response
Showing posts in English
PraveenSingh | 11 Mar 2014 18:52:34 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing five bulletins covering a total of 23 vulnerabilities. Nineteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the March releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-mar

The following is a breakdown of the issues being addressed this...

Joji Hamada | 11 Mar 2014 15:22:59 GMT
A new spam campaign with an information-stealing malware attachment has been circulating since March 7, 2014. While spam emails are typically sent to many people, in this campaign, the spammer has limited their targets to administrators of online Japanese shopping sites.
 
The attacker may have targeted these recipients for various reasons. As most online stores provide contact details on their Web page, they become easy targets since their email addresses can be easily harvested by crawling sites. The attacker could also have targeted the recipients to get the companies’ account details in order to steal data maintained by the stores. The attacker may have also wanted to compromise the shopping sites in order to carry out further attacks against the store’s visitors.
 
The malware, detected as Infostealer.Ayufos, is a basic...
Dick O'Brien | 07 Mar 2014 19:24:20 GMT

Bitcoin Woes 1.png

Virtual currency Bitcoin has experienced some turbulent times in recent weeks as attackers focused their attention on a newly publicized weakness in Bitcoin’s software in an attempt to siphon off huge sums. The instability has already claimed the scalp of Mt Gox, which was once the world’s largest Bitcoin exchange and thousands of investors have lost their deposits.  The thefts caused the currency’s value to plunge but it has since recovered significantly, indicating that investors still have an appetite despite the risks. Nevertheless, this spate of incidents perfectly illustrates how attackers can swarm around a particular area once a weakness is found and attempt to pick it clean.

The first sign of trouble came on February 7, when Mt...

Kevin Savage | 05 Mar 2014 15:49:07 GMT

Ransomcrypt authors are not known to have a conscience, and until now have always left their victims with no way out, other than paying the extortion demand to decrypt their files. This seems to have changed somewhat with the arrival of Trojan.Ransomcrypt.G. While the authors of this malware are still total scammers, they seem to have some principles and offer to decrypt the victim’s files for free after a one month period, even  if the ransom has not been paid. While this behavior does not exonerate the actions of the malware authors, it does leave some light at the end of the tunnel for any unfortunate victims of this scam.   

OMG_Fig1.jpg

Figure 1. “how to get data.txt” snippet from ransom file left behind by Trojan.Ransomcrypt.G

Trojan....

Peter Coogan | 05 Mar 2014 14:24:53 GMT

Darwinism is partly based on the ability for change that increases an individual’s ability to compete and survive. Malware authors are not much different and need to adapt to survive in changing technological landscapes and marketplaces. In a previous blog, we highlighted a free Android remote administration tool (RAT) known as AndroRAT (Android.Dandro) and what was believed to be the first ever malware APK binder. Since then, we have seen imitations and evolutions of such threats in the threat landscape. One such threat that is making waves in underground forums is called Dendroid (Android.Dendoroid), which is also a word meaning something is tree-like or has a branching structure.

...

Symantec Security Response | 28 Feb 2014 07:29:50 GMT

While the Sochi Winter Olympics may now be over without incident, considering all of the media attention and fears surrounding a potential terrorist attack at the event, it should come as no surprise that cyberattackers were preying on these uncertainties to target potential victims of interest.

During the games, Symantec saw multiple targeted email campaigns that used Sochi Olympics themes to bait potential victims. These observed email campaigns were blocked by our Symantec.Cloud service. In one such campaign, we saw that targets were being sent the following email.

figure1_0.jpg

Figure 1. Email purporting to relate to a terrorist threat at the Sochi Olympics

In this campaign...

Lionel Payet | 27 Feb 2014 13:22:11 GMT
Java remote access Trojan (RAT) campaigns aren’t rare anymore. Their prevalence has increased in the past few years and they have continued to target both enterprises and individuals. The popularity of these campaigns isn’t surprising, as if an attacker successfully infects a victim’s computer with a RAT, then they could gain full control of the compromised computer. Along with this, these threats aren’t limited to one operating system, as in theory, they focus on any computer that runs Java. Attackers have easy access to Java RATs thanks to the fact that a handful of these RATs’ source code is being openly shared online
 
This month, we have observed a new spam campaign delivering a Java RAT known as JRAT, which started on February 13, 2014. The spam email’s sender claims that they have attached a payment certificate to the message and asks the user to confirm that they have received it. 
 
...
Dick O'Brien | 26 Feb 2014 09:57:19 GMT
3442719_-_mobile_device_grayware_concept.png
One of the most problematic areas in mobile security today is “grayware.” The dividing line between legitimate software and malware is not clearly drawn and grayware often occupies this murky middle ground. Grayware is applications that may not have any recognizable malware concealed within them but can nevertheless be in some way harmful or annoying to the user. For example, it might track their location, Web browsing habits or serve up unwanted ads. In many cases, grayware authors often maintain a veneer of legitimacy by outlining the application’s capabilities in the small print of the software license agreement. 
 
Grayware is not a new phenomenon and it first began to attract attention well over a decade ago when unwanted extras, such as spyware, were often packaged with free...
Symantec Security Response | 25 Feb 2014 17:47:20 GMT

Earlier this month we blogged about a new Internet Explorer 10 zero-day vulnerability that was targeted in a recent watering hole attack. The attackers took advantage of a previously undiscovered zero-day flaw known as the Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322). At the time, the attackers delivered the exploit code for the zero-day vulnerability through compromised sites, intending to target a limited audience. Since then, we have continued to closely monitor attacks focusing on CVE-2014-0322. We’ve observed trends suggesting that attacks targeting this vulnerability are no longer confined to advanced persistent threats (APT) — the zero-day attacks are expanding to attack average Internet users as well. We refer to these attacks as drive-by downloads....

Candid Wueest | 25 Feb 2014 09:57:34 GMT
mwc_10years_tube_map_infographic.png
Figure. A brief history of mobile malware
 
2014 marks the tenth anniversary of mobile malware. It all began in 2004, when the first variant of SymbOS.Cabir was submitted to security researchers. The analysis revealed that this worm targeted Symbian OS, which was a very popular mobile operating system at the time. Infected phones would search for nearby Bluetooth devices that had activated discovery mode and then the worm would try to push itself onto them. The user had to manually accept the file transfer and also had to agree to the worm’s installation before the malware could infect the device. This limited the spread of the worm, as the victim had to be in close proximity to...