Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for November of 2014
Showing posts in English
Peter Coogan | 25 Nov 2014 12:26:43 GMT

Small-scale mobile app software entrepreneurship has been described as the cottage industry of the 21st century. It allows talented software developers to apply their skills to create new and innovative mobile apps, with the hope of becoming the next big thing and, perhaps, even attaining the trappings of wealth associated with success. However, with over 1 million apps available for download on the Google Play Store, for every success story there are countless apps that fail to deliver.

While I was researching a new Android remote administration tool (RAT) known as DroidJack (detected by Symantec as Android.Sandorat), it soon became apparent that its authors had actually started off as Android app developers. In their own words, they were “budding entrepreneurs trying to develop and apply skills that we have gained.” With limited success of their legitimate app on the Google Play...

Symantec Security Response | 23 Nov 2014 16:58:23 GMT

Code_tunnel_concept.png

 

An advanced piece of malware, known as Regin, has been used in systematic spying campaigns against a range of international targets since at least 2008. A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals.

It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a...

Symantec Security Response | 20 Nov 2014 17:14:00 GMT | 0 comments

As Americans gear up for another holiday shopping season, the threat posed by point-of-sale malware remains high. More than a year after the discovery of the first major attacks against POS networks, many US retailers are still vulnerable to this type of attack and are likely to remain so until the complete transition to more secure payment card technologies in 2015. 

While some retailers have enhanced security by implementing encryption on their POS terminals, others have not and retailers will continue to be a low-hanging fruit for some time. While the introduction of new technologies will help stem the flow of attacks, it will not eliminate fraud completely and attackers have a track record of adapting their methods. 

Point-of-sale malware is now one of the biggest sources of stolen payment cards for cybercriminals. Although it hit the headlines over the past year, the POS malware threat has been slowly germinating since 2005 and the retail industry...

Symantec Security Response | 13 Nov 2014 23:44:03 GMT

g20-concept-image.jpg

Each year, as world leaders come together to discuss a variety of global economic issues at the G20 summit, organizations with a vested interest in the event are the recipients of malicious emails from threat actors.

This year, the summit will be held in Brisbane, Australia on November 15 and 16 and a specific attack group, which we call Flea, has been circulating malicious emails throughout 2014 in anticipation of the event. Targets include an international economic organization as well as a group connected to multiple monetary authorities. Once the attackers have compromised their target’s computers, they identify and steal valuable information from them.

Who is the Flea attack group?
The Flea attackers have been active since at least 2010 when they sent a decoy document to target those...

Kevin Haley | 13 Nov 2014 09:56:12 GMT

events-2014-concept-600x315-socialmedia.jpg

With such an array of security incidents in 2014—from large-scale data breaches to vulnerabilities in the very foundation of the web—it’s difficult to know which to prioritize. Which developments were merely interesting and which speak of larger trends in the online security space? Which threats are remnants from the past and which are the indications for what the future holds?

The following are four of the most important developments in the online security arena over the past year, what we learned (or should have learned) from them, and what they portend for the coming year.

The discovery of the Heartbleed and ShellShock/Bash Bug vulnerabilities
In spring 2014, the Heartbleed vulnerability was discovered....

Symantec Security Response | 13 Nov 2014 05:49:55 GMT

JustSystems has issued an update to its Ichitaro product line (Japanese office suite software), plugging a zero-day vulnerability. The Multiple Ichitaro Products Unspecified Remote Code Execution Vulnerability (CVE-2014-7247) is being actively exploited in the wild to specifically target Japanese organizations.

The exploit is sent to the targeted organizations through emails with a malicious Ichitaro document file attached, which Symantec products detect as Exp.CVE-2014-7247. Payloads from the exploit may include Backdoor.Emdivi, Backdoor.Korplug, and...

PraveenSingh | 11 Nov 2014 23:14:08 GMT

ms-tuesday-patch-key-concept-white-light 2_0.png

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing fourteen bulletins covering a total of 33 vulnerabilities. Fourteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required...
Liam O Murchu | 11 Nov 2014 08:00:14 GMT

Today, Kim Zetter released her book, “Countdown to Zero Day”. The book recounts the story of Stuxnet’s attempt to sabotage Iran’s uranium enrichment program. The work that Eric Chien, Nicolas Falliere, and I carried out is featured in the book. During the process of writing the book, Kim interviewed us on many occasions and we were lucky enough to be able to review an advanced copy.

countdowncover.png
Figure 1. Kim Zetter’s new book, “Countdown to Zero Day”

In chapter 17 of the book, “The Mystery of the Centrifuges”, Kim talks about how Stuxnet infections began in Iran, identifying several companies where she believes the infections originated.

“To get their weapon into the plant, the attackers launched an offensive against four companies. All of the companies were involved in industrial control processing of some sort, either manufacturing products or...

Lionel Payet | 07 Nov 2014 18:40:02 GMT

Ransomlock 1.jpg

What’s true for businesses is also true for scams and malware−to remain successful, they must evolve and adapt. Sometimes, ideas or methods are borrowed from one business model and used in another to create an amalgamation. After all, some of the best creations have come about this way; out of ice-cream and yogurt was born delicious frogurt, and any reputable hunter of the undead will tell you the endless benefits of owning a sledge saw. Cybercriminals responsible for malware and various scams also want their “businesses” to remain successful and every now and again, they too borrow ideas from each other. We recently came across an example of this when we discovered a technical support phone scam that uses a new ransomware...

Symantec Security Response | 06 Nov 2014 21:01:30 GMT

wirelurker-connect2-re-edit_0.jpg

Symantec Security Response is currently investigating OSX.Wirelurker, a threat that targets Apple computers running Mac OS X and Apple devices running iOS. WireLurker can be used to steal information from compromised iOS devices.

app_store_wirelurker-resize.png
Figure. Maiyadi App Store

WireLurker was discovered on the Maiyadi App Store, a third-party app store in China. The threat is Trojanized into pirated Mac OS X applications. Once a pirated application has been downloaded onto a computer running OS X, WireLurker...