Video Screencast Help

Security Response

Showing posts in English
Ross Gibb | 20 Aug 2013 23:50:30 GMT

ZeroAccess has always distributed its malicious payloads to infected computers using a peer-to-peer protocol. The use of a peer-to-peer protocol removes the need to maintain centralized command-and-control (C&C) servers to distribute malicious payloads. In 2011, ZeroAccess’ peer-to-peer protocol communicated over TCP, but in the second quarter of 2012 the protocol was modified to use UDP. This was the last significant update to the ZeroAccess peer-to-peer protocol until June 29, 2013.

Symantec has been closely monitoring the ZeroAccess peer-to-peer networks since its discovery. On June 29, 2013, we noticed a new module being distributed amongst ZeroAccess peers communicating on the UDP-based peer-to-peer network that operates on ports 16464 and 16465. ZeroAccess maintains a second UDP-based network that operates on ports 16470 and 16471. ZeroAccess peers communicate to...

Satnam Narang | 20 Aug 2013 18:42:39 GMT

Instagram, the popular photo and video sharing service acquired by Facebook, is often a target for spam and scams, some of which we have written about over the past year. This week, a friend shared an in-stream advertisement for a program called Instagram for PC on his Facebook timeline. This application claims to run Instagram in an emulator, so that PC users can access the service without a phone.
 

Instascam 1 edit.png

Figure 1. Instagram for PC website
 

When trying to download a copy of Instagram...

Christopher Mendes | 19 Aug 2013 19:36:42 GMT

Contributor: Sujay Kulkarni

image1_9.png

The Ashes Test cricket series, one of most popular Test series in cricket, is played between England and Australia. It is played alternately in England and Australia and is the oldest test rivalry between these two sides. Cricket fans are glued to the TV and their online devices to watch this riveting series.

In the current Ashes series England is leading 3-0 and is on the cusp of creating history against Australia—if they beat them hands down in the last test match, which now is a real possibility. However, what is making the rounds is not Scholes, Carrick, or Robin Van Persie, but Captain Cook and his elite squad waiting to steamroll Australia.

This...

Santiago Cortes | 14 Aug 2013 14:18:51 GMT

Contributor: Lionel Payet

Political news has always been one of the top topics used in targeted attacks. Last week we came across unique malicious emails targeting high-profile companies in Europe and Asia (in sectors such as finance, mining, telecom, and government). The payload is an updated version of a Java remote access tool (RAT) detected as Backdoor.Opsiness, also known as Frutas RAT.

Fig1_2.png

Figure 1. Frutas RAT logo

Frutas RAT is not new and has been around for quite some time now. Back in February we released a blog about this: Cross-Platform Frutas RAT Builder and Back Door.

The crafted emails used in...

Symantec Security Response | 13 Aug 2013 23:47:38 GMT

There’s been a lot of confusion over the last few days, since bitcoin.org announced that an Android component responsible for generating secure random numbers contained a critical weakness that rendered many Android bitcoin wallets vulnerable.

There are a number of different issues that seem to have come into play to make these bitcoin wallets vulnerable.

Bitcoin uses the ECDSA algorithm to ensure that funds can only be spent by their rightful owners. The algorithm requires a random number to compute an ECDSA signature, but if two different messages are signed with the same private key and the same random number, the private key can be derived. This is a known method of attacking the algorithm and was previously used to break the...

Symantec Security Response | 13 Aug 2013 19:39:41 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing eight bulletins covering a total of 23 vulnerabilities. 14 of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the July releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Aug

The following is a breakdown of the issues...

Yusuke Kudo | 13 Aug 2013 10:28:08 GMT

Recently, we observed an attack campaign using link files attached to emails in Japan. We have blogged about threats utilizing link files before and this type of attack is still alive and well.

The target of the link is disguised to make it look like it is linking to a text file, tricking the user into opening it, unaware that they are not opening a text file.

Link file example.png

Figure 1. Details of LNK file made to look like a link to a text file

Under more careful examination, by scrolling to the left of the text box, you can see the malicious scripts that will actually be executed if you open this link.

scrolled_link.png

Figure 2. ...

Candid Wueest | 09 Aug 2013 11:10:54 GMT

3D_Key_Printing.png

3D printers are fascinating devices that are becoming affordable and widely available.  Many people love to experiment with them, bringing innovation to many different fields. There are so many things that one can do with 3D printing, from controversial ideas like printing weapons to creating copies of security keys. And we’re not just talking about cheap plastic copies. Newer machines can sinter titanium and other materials to create extremely durable objects.

Last week, during the OHM2013 and DEFCON security conferences, two similar presentations on lock picking innovation took place. Both showcased how copies of physical keys could be created using a 3D printer. All that was needed...

Joji Hamada | 08 Aug 2013 23:16:45 GMT

It is not uncommon to see social media accounts, specifically Twitter accounts, directing users to malicious sites such as the ones hosting Android.Opfake, an issue we blogged about last year. Recently, we discovered that the accounts of innocent users were being compromised to tweet these types of malicious links to their followers.
 

Compromised Twitter 1-3.png

Figure 1. Malicious tweets from compromised accounts
 

The series of compromised accounts appears to have started around the beginning of July and has affected users globally. A broad range of accounts have been compromised for...

Christopher Mendes | 07 Aug 2013 08:17:13 GMT

It may sound strange, but one surefire sign that the economy is on the mend is an increase in stock spam. Yes, stock spam is a bellwether signal of an economic revival and if you want proof, check your email. Scattered in your bulk folder, you may find a myriad of such spam promising you ‘an opportunity of a life time.’ Rearing its ugly head every time there is a hint of an economic recovery, stock spam never misses an opportunity to try and con victims out of their hard-earned cash.

Over the years, stock spam has evolved, honing its method of psychologically hustling a victim into buying a particular stock that will ‘imminently’ be pumped up by some sort of syndicate. Stock spam creates an unwarranted urgency and promises a pot of gold at the end of it all.

Stock spam relies on a strategy called ‘pump and dump,’ where spammers create pseudo hysteria, beckoning victims to invest in penny or sub-penny stocks that would give...