Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Chicken or Egg: Where Does W32.Changeup Come From?
Symantec Security Response | 04 Dec 2012 02:12:57 GMT | 0 comments

­Throughout history, philosophers and scientists have pondered the question of which came first: the chicken or the egg. Over the last week, Security Response has seen an increase in the number of W32.Changeup detections. We know that Changeup can download a bevy of other threats onto a compromised computer. But an unanswered question is how does W32.Changeup compromise a computer in the first place?

While other vend­­­­ors have indicated the latest round of Changeup has spread through social networking websites, Symantec Security Response has managed to identify one source of the worm.

In recent malicious spam claiming to contain a secure message from banking...

Read more
Android Malware Continues to Thrive in Japan
Joji Hamada | 03 Dec 2012 23:52:47 GMT | 0 comments

2012 will be remembered as the year in which Android malware spread widely in Japan and may also be known as the year when some of the developers of the malware escaped punishment for performing the malicious activities.

On October 30, the Tokyo Metropolitan Police arrested a group of five individuals for their involvement in developing and distributing Android.Dougalek. Their goal was to collect personal information stored on Android devices. Coincidently, the Kyoto Prefectural Police also arrested two men on the same day, and then two more at a later date, for the development and distribution of Android.Ackposts, which was also used to steal personal information. Symantec welcomes this news and applauds the police for their efforts.

Symantec was able to assist the Tokyo...

Read more
W32.Changeup – A Worm By Any Other Name
Symantec Security Response | 01 Dec 2012 01:19:03 GMT | 0 comments

Whether a Montague or a Capulet, it never mattered to Juliet, as she made the case in Shakespeare's “Romeo and Juliet” when she says one of her most famous lines, “What’s in a name? That which we call a rose by any other name would smell as sweet.”

Earlier this week, we wrote about the increase in detections of a threat named W32.Changeup. Other vendors have written about it as well. However, each security vendor’s naming conventions are different. For Symantec, we named the threat W32.Changeup when we first discovered it.

Sampling of vendor detection names for W32.Changeup:

  • Microsoft: Worm:Win32/Vobfus.MD
  • McAfee: W32/Autorun.worm.aaeh
  • Trend Micro: WORM_VOBFUS
  • Sophos: W32/VBNA-X
  • Kaspersky: Worm....
Read more
Ransomware: The Couch-Potato Vs The Backpacker
Lionel Payet | 30 Nov 2012 16:38:00 GMT | 0 comments

Comparing variants of the same malware family can sometimes uncover interesting results. Trojan.Ransomlock, the highly profitable and prevalent malware, is one of those cases. This threat was originally spotted in Russia in 2009 but since then has been highly active in the wider world, particularly in the past few months.

An in-depth analysis of this month's AV detection stats for the Trojan.Ransomlock family of threats reveals two top variants: Trojan.Ransomlock.T and Trojan.Ransomlock.G.

Figure 1. Trojan....

Read more
Crisis: The Advanced Malware
Takashi Katsuki | 30 Nov 2012 06:50:46 GMT | 0 comments

Over the past few months, we have blogged several times about OSX.Crisis and W32.Crisis. The Crisis malware is a highly advanced malware that has multiple infection vectors and a variety of information-stealing functions.

Figure 1. The Crisis infection routine

 

It targets Windows and Mac operating systems as well as devices running Windows Mobile. It can also sneak onto virtual machines if the compromised computer has a specific VMware virtual machine image installed on it and we believe that this is the first malware that can perform host-to-guest virtual machine infections.

Some...

Read more
Browser Add-ons Add Fraudulent Data
Mathew Maniyara | 29 Nov 2012 06:53:37 GMT | 0 comments

Contributor: Wahengbam RobinSingh

Phishers continue to devise diverse strategies to improve their chances of harvesting users’ confidential information. Symantec constantly monitors and keeps track of these phishing trends. In November 2012, Symantec observed a phishing site that loaded a malicious browser add-on. The malicious add-on, if installed, would lead users to phishing sites even when a legitimate website is entered in the address bar. Phishers utilized a typosquatting domain to host the phishing site and their primary motive in this strategy was financial gain. The phishing site spoofed a popular e-commerce website.

Figure 1. Browser prevents automatic installation of the malicious add-on

 

The phishing site detects the...

Read more
Instaspam 2: Electric Boogaloo
Satnam Narang | 28 Nov 2012 22:14:57 GMT | 0 comments

While death and taxes may be certainties in our lives, in the digital world—especially in social networking—one certainty is spam.

I recently wrote about gift card spam targeting the popular photo-sharing application Instagram. The service now has over 100 million users and it recently surpassed Twitter with more average daily visitors (Figure 1). As the number of users of Instagram continues to increase, we expect to see a corresponding increase in Instagram spam.

Figure 1. Instagram daily visitor growth
 

Cash Rules Everything Around Me (C.R.E.A.M.)

While gift cards work quite...

Read more
W32.Changeup – A Malicious Gift That Keeps On Giving
Satnam Narang | 27 Nov 2012 23:26:24 GMT | 0 comments

In mid-2009 W32.Changeup, a polymorphic worm written in Visual Basic, was first discovered on systems around the world. Over the last few years, we have profiled this threat, explained why it spreads, and shown how it was created.

In the last week there has been an increase in the number of W32.Changeup detections. The increase in detections is a result of an updated version of W32.Changeup now circulating in the wild:
 

Figure....

Read more
W32.Narilam – Business Database Sabotage
Symantec Security Response | 22 Nov 2012 10:39:05 GMT | 0 comments

In the last couple of years, we have seen highly sophisticated malware used to sabotage the business activities of chosen targets. We have seen malware such as W32.Stuxnet designed to tamper with industrial automation systems and other destructive examples such as W32.Disstrack and W32.Flamer, which can both wiped out data and files from hard disks. All of these threats can badly disrupt the activities of those affected.

Following along that theme, we recently came across an interesting threat that has another method of causing chaos, this time, by targeting and modifying corporate databases. We detect this threat as...

Read more
Malware Targeting Windows 8 Uses Google Docs
Takashi Katsuki | 16 Nov 2012 22:55:39 GMT | 0 comments

Initially, I thought that Backdoor.Makadocs was a simple and typical back door Trojan horse. It receives and executes commands from a command-and-control (C&C) server and it gathers information from the compromised computer including the host name and the operating system type. Interestingly, the malware author has also considered the possibility that the compromised computer could be running Windows 8 or Windows Server 2012.
 

Figure 1. Operating Systems check
 

Windows 8 was released in October of this year. This is not necessarily a surprise for security researchers as we always encounter new malware when new products are released. However, this malware does not...

Read more