Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Android.Exprespam Potentially Infects Thousands of Devices
Joji Hamada | 21 Jan 2013 15:08:37 GMT | 0 comments

Android.Exprespam was discovered at the beginning of January and has only been around for about two weeks, but the scammers seem to be having a lot of success with the malware already.  Symantec has acquired some data that has allowed us to get an idea of how successful Exprespam may be in scamming Android users into providing personal data. The data obtained, which is only a portion of the complete data, indicates that the fake market called Android Express’s Play has drawn well over 3,000 visits in a period of a week from January 13 to January 20.

Based on several sources*, I calculated that the scammers may have stolen between 75,000 and 450,000 pieces of personal information.

Figure 1. ...

Read more
Symantec Protections for Red October
Symantec Security Response | 16 Jan 2013 19:37:49 GMT | 0 comments

An advanced cyber-espionage network targeting high-profile organizations and governments has recently been unveiled. The main attack method being used in this campaign is spear phishing.

The spear phishing emails contain Word document or Excel spreadsheet attachments that exploit three known vulnerabilities in order to compromise computers. The vulnerabilities used are:

Read more
Faux Cash Prize for Christmas
Mathew Maniyara | 15 Jan 2013 23:52:15 GMT | 0 comments

Contributor: Ayub Khan

Phishers consider special occasions as an opportunity to strike at end users and Christmas has always been a favorite for phishers to introduce new phishing baits. For this past Christmas, phishers created a phishing site pretending to be a popular payment system based in the USA. Phishers used a typosquatting domain hosted on servers based in the Netherlands.

The phishing site began by stating that the user was chosen as the winner of a $400 cash prize. Users were told that ten winners were given the prize every year for Christmas. To receive the prize, visitors were prompted to enter the verification code they received by email. There is poor language used in the phishing site, evident from the misspelled “recieve” in the message.
 

...

Read more
Waledac Gets Cozy with Virut
Denis Carmody | 14 Jan 2013 22:53:52 GMT | 0 comments

Recently, we blogged about the file-infector virus known as W32.Virut and the botnet’s return to distributing new payloads. In the blog, we estimated that the Virut botnet currently consists of 308,000 unique Virut clients active in a single day. It was also noted that Virut had been observed distributing payloads with the functionality to send out email spam for advertisements and fraud as well as other malicious purposes.

During our further analysis of recent Virut samples, we observed the virus downloading a botnet variant named Waledac (also know Kelihos), which Symantec detects as W32.Waledac.D. The ...

Read more
Android.Exprespam Authors Revamp Gcogle Play to Android Express’s Play
Joji Hamada | 14 Jan 2013 17:00:37 GMT | 0 comments

When Android.Exprespam was discovered earlier this month, we quickly posted a blog warning users about the malware and discussing the details of the attack. Word spread quickly as the media, as well as the local authorities, pushed the news out to a wide audience. It seems like the scammers thought the news had reached enough people and that it was time they updated the malware and the fake market in order to start their attack afresh with new content that people are not familiar with.

The new fake market is called ANDROID EXPRESS’s PLAY (ANDROID EXPRESSのPLAY in Japanese). According to the site, it is maintained by Gcogle.

...

Read more
Additional Protection for Recent Java Zero-Day
Symantec Security Response | 13 Jan 2013 23:32:45 GMT | 0 comments

Security Response recently blogged about the Java zero-day that is active in the wild and being distributed by the Cool Exploit Kit. In addition to Cool Exploit Kit, we are aware that several other major exploit kits such as Blackhole, Redkit, and Impact are also equipped to exploit this unpatched vulnerability.

Symantec Security Response is currently detecting JAR files served up by the various exploit kits as Trojan.Maljava and we have further protection in place with Trojan.Maljava!gen26.

Additionally, Symantec has released the following IPS signatures to proactively block the malicious JAR files and associated exploit attempts:

  • ...
Read more
Java Zero-Day Dished Up from Cool Exploit Kit
Symantec Security Response | 10 Jan 2013 19:04:53 GMT | 0 comments

The use of zero-day exploits in attacks has not been too far from the headlines of late. Today, Kafeine from Malware don't need Coffee has released a blog detailing yet another Java zero-day—Oracle Java Runtime Environment Unspecified Remote Code Execution Vulnerability (CVE-2013-0422)—active in the wild and distributed through the Cool Exploit pack. The good news, however, for Symantec customers who use our intrusion prevention signature (IPS) technology, is that Symantec proactively blocked the JAR file containing the exploit from the Cool Exploit Kit with IPS signature...

Read more
Downloader.Ponik Seeks Long Term Relationship
Satnam Narang | 09 Jan 2013 18:52:48 GMT | 0 comments

Contributor: Jeet Morparia

Online dating is big business. In 2012, 40 million people visited or used an online dating site in the United States. According to some statistics, the online dating industry is worth over $1 billion dollars. Others say it is worth over $3 billion globally. The fact is that online dating is a lucrative industry, so it should come as no surprise that it is also on the radar for cybercriminals.
 

Figure 1. Downloader.Ponik spam campaign world map
 

One of the most recent malicious spam campaigns we...

Read more
W32.Extrat: Syrian Conflict Used To Deliver Xtreme RAT
Satnam Narang | 08 Jan 2013 18:07:10 GMT | 0 comments

Contributor: Jeet Morparia
 

As conflict in Syria continues, email attacks against various organizations throughout the Middle East and Europe have also been identified.
 

Figure 1. Sample email used in this campaign from “Free Dom” (Freedom)
 

The targeted organizations are extensive, from individuals at a public university, to hotels, oil companies, and government agencies.

Recipients of these emails are presented with text in Arabic. The email (Figure 1) claims to be an important message from Sheikh Adnan al-Aroor, a figure in opposition to the current Syrian government. The email includes a .zip file attachment, which contains a .lnk (shortcut) file.

In the past, we have...

Read more
Microsoft Patch Tuesday - January 2013
Candid Wueest | 08 Jan 2013 17:24:26 GMT | 0 comments

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 12 vulnerabilities. Three of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the January releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Jan

The following is a breakdown of the...

Read more