Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
The Details of the Rabasheeta Dropper
Takashi Katsuki | 23 Oct 2012 06:18:26 GMT | 0 comments

Last week we reported on a particular piece of malware—detected as Backdoor.Rabasheeta—that is making a stir in the Japanese media.  There are hundreds, if not thousands, of back door malware, but in the last week Japanese media and social networks have been full of discussions about this particular malware. Symantec has discovered the dropper.

Dropper

Figure 1. Dropper and its contents

 

A dropper is a Trojan horse that installs a payload onto the compromised computer. The dropper for Backdoor.Rabasheeta drops a main...

Read more
Spam with .gov URLs
Eric Park | 19 Oct 2012 17:01:26 GMT | 0 comments

Symantec is observing an increase in spam messages containing .gov URLs. A screenshot of a sample message is below:
 


 

Traditionally, .gov URLs have been restricted to government entities. This brings up the question of how spammers are using .gov URLs in spam messages.

The answer is on this webpage:

1.USA.gov is the result of a collaboration between USA.gov and bitly.com, the popular URL shortening service. Now, whenever anyone uses bitly to shorten a URL that ends in .gov or .mil, they will receive a short, trustworthy 1.usa.gov URL in return.

While this feature has legitimate uses for government agencies and employees, it has also opened a door for...

Read more
Targeted Attacks Make WinHelp Files Not So Helpful
Peter Coogan | 15 Oct 2012 20:58:12 GMT | 0 comments

Last year Symantec reported on the use of the Windows Help File (.hlp) extension as an attack vector in targeted attacks. Symantec telemetry is now increasingly seeing this attack vector being used in targeted attacks against industry and government sectors. The nefarious WinHelp files being used in these targeted attacks are detected by Symantec as Bloodhound.HLP.1 and Bloodhound.HLP.2.
 

Figure 1. Zip file attachment with malicious ....

Read more
W32.Flamer.B: Additional Module Discovered
Symantec Security Response | 15 Oct 2012 15:37:48 GMT | 0 comments

In our joint analysis of a W32.Flamer command-and-control (C&C) server, as documented here, we described several C&C server protocols present in code on the server.  One of those protocols we knew was associated with W32.Flamer. The other remaining protocol had not previously been observed in the wild and no samples were retrieved which used those protocols.
 

Figure 1. Protocols present on W32.Flamer C&C server
 

The samples appear to have remained unobserved for so long due to their highly targeted nature, however one more of those protocols has been identified and found to...

Read more
Malware Dubbed "The Remote Control Virus" by Japanese Media Used to Make Death Threats in Japan
Joji Hamada | 11 Oct 2012 05:28:10 GMT | 0 comments

News broke over the weekend in Japan that police had arrested three people over the past few months in relation to death threats being posted on bulletin boards and sent through email. However, it was also reported that the suspects were subsequently released without charge due to the discovery of a particular malware infection on all of the suspect’s computers that is believed to have been used to make the threats. Examples of some of the threats include a posting to a government website stating that the person posting the threat will commit mass murder in a popular shopping area; a posting to an Internet forum saying that he/she will blow up a famous shrine; an email sent to an airline company threatening to use a bomb to destroy an aircraft; and an email threatening the kindergarten where a child of the royal family attends. Police are currently investigating the connection between the threats and the malware.

From our analysis, we have confirmed that the malware is...

Read more
JavaScript Worm on Steroids
Fred Gutierrez | 10 Oct 2012 23:40:19 GMT | 0 comments

From time to time during the course of our work, we may discover a novel piece of malware. Whether it is a new technique to infect files, infecting virtual machines, or targeting specific documents, the possibilities are limited only by a malware author’s imagination. 

Such is the case with JS.Proslikefan. While malware can be created using JavaScript or VBScript, it is usually only a few kilobytes in size after it is unpacked. In comparison, JS.Proslikefan weighs in at a whopping 130 kilobytes after it unpacks itself. The upper layers used custom obfuscation as well as the publically available Dean Edwards JavaScript packer. Figure 1 shows the bottom unpacked layer of the threat.
 

...

Read more
W32.Phopifas Cons Over 2.5 Million Clicks with LOL Links
Kevin Savage | 10 Oct 2012 22:43:16 GMT | 0 comments

An ongoing social engineering attack on Skype and other instant messaging applications has been gathering momentum over the last week. The attack, which looks to have started around September 29, has to date conned over 2.5 million clicks from unsuspecting users. The attack uses the common social engineering tactic of posting a link to instant messaging applications for a potential victim to follow. The following scenario outlines the steps in the attack:
 

Figure 1. Social engineering attack scenario
 

When the victim clicks on the goo.gl link they are redirected to a URL on Hotfile.com. The Hotfile.com site prompts the victim to download a .zip file which contains the malware...

Read more
Microsoft Patch Tuesday - October 2012
Candid Wueest | 09 Oct 2012 17:55:37 GMT | 0 comments

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 20 vulnerabilities. One of this month's issues is rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the October releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms12-Oct

The following is a breakdown of the issues...

Read more
The Russian Mastermind Behind Backdoor.Proxybox
Joseph Bingham | 08 Oct 2012 14:52:28 GMT | 0 comments

For the past three months we have been investigating a Russian attacker serving malware to hundreds of thousands of users per year. The malware is Backdoor.Proxybox, and our investigation has revealed an entire black hat operation, giving us interesting information on the operation and size of this botnet, and leading us to information that may identify the actual malware author.

Proxy services are nothing new. They are used to provide access to geographically locked content or to relay traffic for anonymity. The proxy reseller at proxybox.name sells access to proxy servers across the globe. From their front-end website, it appears as if they are a legitimate Russian proxy service, providing access to their entire list of thousands of proxies for only $40 a month. How can they provide access to so many servers for so little cash?
 

...

Read more
Scammers Love Football and Social Media Themes
Mathew Maniyara | 28 Sep 2012 14:48:20 GMT | 0 comments

Contributor: Avdhoot Patil

Phishers have recently gained a lot of interest in football. After the scam on the 2014 FIFA World Cup, they have set their eyes on footballer Lionel Messi. In September 2012, Symantec observed the use of various social-networking themes in phishing. A number of these themes featured Lionel Messi. The phishing sites were hosted on free web-hosting sites.

In the first example, the background image of the phishing site was of Lionel Messi and the theme promoted football club Barcelona FC. On the other hand, the legitimate social-networking site in question does not provide users with any theme. End users were prompted to login in order to gain access to Messi’s social networking page. Of course, this is only a ploy and there is no gain for users from a phishing site. After the login credentials are entered, the phishing site redirected to the...

Read more