Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Dick O'Brien | 07 Mar 2014 19:24:20 GMT

Bitcoin Woes 1.png

Virtual currency Bitcoin has experienced some turbulent times in recent weeks as attackers focused their attention on a newly publicized weakness in Bitcoin’s software in an attempt to siphon off huge sums. The instability has already claimed the scalp of Mt Gox, which was once the world’s largest Bitcoin exchange and thousands of investors have lost their deposits.  The thefts caused the currency’s value to plunge but it has since recovered significantly, indicating that investors still have an appetite despite the risks. Nevertheless, this spate of incidents perfectly illustrates how attackers can swarm around a particular area once a weakness is found and attempt to pick it clean.

The first sign of trouble came on February 7, when Mt...

Kevin Savage | 05 Mar 2014 15:49:07 GMT

Ransomcrypt authors are not known to have a conscience, and until now have always left their victims with no way out, other than paying the extortion demand to decrypt their files. This seems to have changed somewhat with the arrival of Trojan.Ransomcrypt.G. While the authors of this malware are still total scammers, they seem to have some principles and offer to decrypt the victim’s files for free after a one month period, even  if the ransom has not been paid. While this behavior does not exonerate the actions of the malware authors, it does leave some light at the end of the tunnel for any unfortunate victims of this scam.   


Figure 1. “how to get data.txt” snippet from ransom file left behind by Trojan.Ransomcrypt.G


Peter Coogan | 05 Mar 2014 14:24:53 GMT

Darwinism is partly based on the ability for change that increases an individual’s ability to compete and survive. Malware authors are not much different and need to adapt to survive in changing technological landscapes and marketplaces. In a previous blog, we highlighted a free Android remote administration tool (RAT) known as AndroRAT (Android.Dandro) and what was believed to be the first ever malware APK binder. Since then, we have seen imitations and evolutions of such threats in the threat landscape. One such threat that is making waves in underground forums is called Dendroid (Android.Dendoroid), which is also a word meaning something is tree-like or has a branching structure.


Symantec Security Response | 28 Feb 2014 07:29:50 GMT

While the Sochi Winter Olympics may now be over without incident, considering all of the media attention and fears surrounding a potential terrorist attack at the event, it should come as no surprise that cyberattackers were preying on these uncertainties to target potential victims of interest.

During the games, Symantec saw multiple targeted email campaigns that used Sochi Olympics themes to bait potential victims. These observed email campaigns were blocked by our Symantec.Cloud service. In one such campaign, we saw that targets were being sent the following email.


Figure 1. Email purporting to relate to a terrorist threat at the Sochi Olympics

In this campaign...

Lionel Payet | 27 Feb 2014 13:22:11 GMT
Java remote access Trojan (RAT) campaigns aren’t rare anymore. Their prevalence has increased in the past few years and they have continued to target both enterprises and individuals. The popularity of these campaigns isn’t surprising, as if an attacker successfully infects a victim’s computer with a RAT, then they could gain full control of the compromised computer. Along with this, these threats aren’t limited to one operating system, as in theory, they focus on any computer that runs Java. Attackers have easy access to Java RATs thanks to the fact that a handful of these RATs’ source code is being openly shared online
This month, we have observed a new spam campaign delivering a Java RAT known as JRAT, which started on February 13, 2014. The spam email’s sender claims that they have attached a payment certificate to the message and asks the user to confirm that they have received it. 
Dick O'Brien | 26 Feb 2014 09:57:19 GMT
One of the most problematic areas in mobile security today is “grayware.” The dividing line between legitimate software and malware is not clearly drawn and grayware often occupies this murky middle ground. Grayware is applications that may not have any recognizable malware concealed within them but can nevertheless be in some way harmful or annoying to the user. For example, it might track their location, Web browsing habits or serve up unwanted ads. In many cases, grayware authors often maintain a veneer of legitimacy by outlining the application’s capabilities in the small print of the software license agreement. 
Grayware is not a new phenomenon and it first began to attract attention well over a decade ago when unwanted extras, such as spyware, were often packaged with free...
Symantec Security Response | 25 Feb 2014 17:47:20 GMT

Earlier this month we blogged about a new Internet Explorer 10 zero-day vulnerability that was targeted in a recent watering hole attack. The attackers took advantage of a previously undiscovered zero-day flaw known as the Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322). At the time, the attackers delivered the exploit code for the zero-day vulnerability through compromised sites, intending to target a limited audience. Since then, we have continued to closely monitor attacks focusing on CVE-2014-0322. We’ve observed trends suggesting that attacks targeting this vulnerability are no longer confined to advanced persistent threats (APT) — the zero-day attacks are expanding to attack average Internet users as well. We refer to these attacks as drive-by downloads....

Candid Wueest | 25 Feb 2014 09:57:34 GMT
Figure. A brief history of mobile malware
2014 marks the tenth anniversary of mobile malware. It all began in 2004, when the first variant of SymbOS.Cabir was submitted to security researchers. The analysis revealed that this worm targeted Symbian OS, which was a very popular mobile operating system at the time. Infected phones would search for nearby Bluetooth devices that had activated discovery mode and then the worm would try to push itself onto them. The user had to manually accept the file transfer and also had to agree to the worm’s installation before the malware could infect the device. This limited the spread of the worm, as the victim had to be in close proximity to...
Laura O'Brien | 24 Feb 2014 01:22:26 GMT


Mobile World Congress is set to take place this year between February 24 and 27. The event promises to showcase smartphone and tablet innovations that will become a reality over the next 12 months. However, as mobile manufacturers and app developers have upped their game each year, so too have malware authors. Symantec discovered an average of 272 new malware variants and five new malware families per month targeting the Android mobile operating system in 2013. These threats have taken aim at mobile devices in several ways, such as by attempting to steal personal and financial information, track users, send premium rate SMS messages, and display intrusive adware. We have seen some notable threats that could pave the way for what’s next in mobile malware:

More aggressive financial Android threats
Consumers have been increasingly turning to their...

Symantec Security Response | 21 Feb 2014 23:01:00 GMT

Watering hole attacks using zero-day vulnerabilities are becoming more common. Last week we announced an Internet Explorer 10 zero-day being used in a watering hole attack and today, just one week later we have an Adobe Flash zero-day, Adobe Flash Player and AIR CVE-2014-0502 Remote Code Execution Vulnerability (CVE-2014-0502), also being used in a watering hole attack. This new attack has been dubbed “Operation GreedyWonk” in various media and is reported to be targeting the websites of three non-profit institutions. Symantec telemetry shows even more sites being targeted in this watering hole attack using this new zero-day.


Figure 1....