Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Security Response

Showing posts in English
Christopher Mendes | 19 Aug 2013 19:36:42 GMT

Contributor: Sujay Kulkarni


The Ashes Test cricket series, one of most popular Test series in cricket, is played between England and Australia. It is played alternately in England and Australia and is the oldest test rivalry between these two sides. Cricket fans are glued to the TV and their online devices to watch this riveting series.

In the current Ashes series England is leading 3-0 and is on the cusp of creating history against Australia—if they beat them hands down in the last test match, which now is a real possibility. However, what is making the rounds is not Scholes, Carrick, or Robin Van Persie, but Captain Cook and his elite squad waiting to steamroll Australia.


Santiago Cortes | 14 Aug 2013 14:18:51 GMT

Contributor: Lionel Payet

Political news has always been one of the top topics used in targeted attacks. Last week we came across unique malicious emails targeting high-profile companies in Europe and Asia (in sectors such as finance, mining, telecom, and government). The payload is an updated version of a Java remote access tool (RAT) detected as Backdoor.Opsiness, also known as Frutas RAT.


Figure 1. Frutas RAT logo

Frutas RAT is not new and has been around for quite some time now. Back in February we released a blog about this: Cross-Platform Frutas RAT Builder and Back Door.

The crafted emails used in...

Symantec Security Response | 13 Aug 2013 23:47:38 GMT

There’s been a lot of confusion over the last few days, since announced that an Android component responsible for generating secure random numbers contained a critical weakness that rendered many Android bitcoin wallets vulnerable.

There are a number of different issues that seem to have come into play to make these bitcoin wallets vulnerable.

Bitcoin uses the ECDSA algorithm to ensure that funds can only be spent by their rightful owners. The algorithm requires a random number to compute an ECDSA signature, but if two different messages are signed with the same private key and the same random number, the private key can be derived. This is a known method of attacking the algorithm and was previously used to break the...

Symantec Security Response | 13 Aug 2013 19:39:41 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing eight bulletins covering a total of 23 vulnerabilities. 14 of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the July releases can be found here:

The following is a breakdown of the issues...

Yusuke Kudo | 13 Aug 2013 10:28:08 GMT

Recently, we observed an attack campaign using link files attached to emails in Japan. We have blogged about threats utilizing link files before and this type of attack is still alive and well.

The target of the link is disguised to make it look like it is linking to a text file, tricking the user into opening it, unaware that they are not opening a text file.

Link file example.png

Figure 1. Details of LNK file made to look like a link to a text file

Under more careful examination, by scrolling to the left of the text box, you can see the malicious scripts that will actually be executed if you open this link.


Figure 2. ...

Candid Wueest | 09 Aug 2013 11:10:54 GMT


3D printers are fascinating devices that are becoming affordable and widely available.  Many people love to experiment with them, bringing innovation to many different fields. There are so many things that one can do with 3D printing, from controversial ideas like printing weapons to creating copies of security keys. And we’re not just talking about cheap plastic copies. Newer machines can sinter titanium and other materials to create extremely durable objects.

Last week, during the OHM2013 and DEFCON security conferences, two similar presentations on lock picking innovation took place. Both showcased how copies of physical keys could be created using a 3D printer. All that was needed...

Joji Hamada | 08 Aug 2013 23:16:45 GMT

It is not uncommon to see social media accounts, specifically Twitter accounts, directing users to malicious sites such as the ones hosting Android.Opfake, an issue we blogged about last year. Recently, we discovered that the accounts of innocent users were being compromised to tweet these types of malicious links to their followers.

Compromised Twitter 1-3.png

Figure 1. Malicious tweets from compromised accounts

The series of compromised accounts appears to have started around the beginning of July and has affected users globally. A broad range of accounts have been compromised for...

Christopher Mendes | 07 Aug 2013 08:17:13 GMT

It may sound strange, but one surefire sign that the economy is on the mend is an increase in stock spam. Yes, stock spam is a bellwether signal of an economic revival and if you want proof, check your email. Scattered in your bulk folder, you may find a myriad of such spam promising you ‘an opportunity of a life time.’ Rearing its ugly head every time there is a hint of an economic recovery, stock spam never misses an opportunity to try and con victims out of their hard-earned cash.

Over the years, stock spam has evolved, honing its method of psychologically hustling a victim into buying a particular stock that will ‘imminently’ be pumped up by some sort of syndicate. Stock spam creates an unwarranted urgency and promises a pot of gold at the end of it all.

Stock spam relies on a strategy called ‘pump and dump,’ where spammers create pseudo hysteria, beckoning victims to invest in penny or sub-penny stocks that would give...

Symantec Security Response | 06 Aug 2013 09:16:52 GMT

On August 4, websites hosted by Freedom Hosting, a service provider that offers anonymous hosting through the Tor network, began to host malicious scripts. This follows media reports from August 3 about US authorities seeking the extradition of the man believed to be the head of Freedom Hosting. 

The scripts that were found take advantage of a Firefox vulnerability that was already fixed in Firefox 22 and Firefox ESR 17.0.7. It is thought that this vulnerability was chosen because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Symantec detects these scripts as...

Hon Lau | 31 Jul 2013 13:51:24 GMT


Companies in our field of business have long wished for a better way of discovering and describing malware capabilities than the current system. Such a system would be of great benefit to everyone who has to deal with malware and the damage they can cause. While there is currently a whole spectrum of techniques used to discover the functionality of malware, ranging from the most basic to the more advanced, most fall short because they don’t describe the malware in a very complete way.

Many either rely on manual decomposition and analysis or may run samples in physical or virtual machine (VM) environments, then record changes made to the system and report them as side effects of the malware. Each method has its own benefits and drawbacks. Manual analysis is a slow and cumbersome task and prone to human error. Automated side effects...