Video Screencast Help
Security Response
Showing posts in English
Symantec Security Response | 25 Jul 2014 13:41:11 GMT

backdoor_concept.png

Symantec Security Response recently discovered a peculiar back door program that targeted a Korean organization.  The malware, detected by Symantec as Backdoor.Baccamun, is dropped by an RTF document written in Korean that is disguised as an internal invitation to the organization’s employees for a free car inspection. The document file exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) and drops the Backdoor.Baccamun upon successful exploit of the vulnerability.

The back door is quite compact (19 kilobytes) and is smaller than average back door programs. It can perform the following actions:

  • List running processes
  • Terminate...
Binny Kuriakose | 23 Jul 2014 23:28:53 GMT

Contributor: Mayur Deshpande

Phishing emails masquerading as banking communications are observed in huge quantities every single day. Spammers will often exploit global news and major world events to carry out phishing attacks. Phishing emails often use international and regional news to disguise their phishing content and force the recipients to give up sensitive personal data.

Recently, Canada enacted an anti-spam law which mandates that all companies obtain explicit consent from customers for email correspondence. Spammers exploited this news to send phishing emails pretending to request consent for emails. This phishing attempt shown below goes a step further and fabricates fake news about a similar law in the United States.

Fake US Antispam Law 1 edit.png

Figure. Phishing sample...

Ankit Singh | 22 Jul 2014 22:25:38 GMT

Facebook Scam.png

Contributor: Himanshu Anand

Facebook scams are a regular occurrence in today’s world, but attackers have become more aggressive and are now using Facebook scams to exploit a user’s system. Normally Facebook scams trick users into filling out fake surveys, or sharing videos and pictures. It is very rare that a scam redirects to an exploit kit, but in the case of one famous Facebook scam targeting users who wanted to work from home, that was exactly what happened. The “EXPOSED: Mom Makes $8,000/Month” scam, which we observed recently, redirected users to the Nuclear exploit kit. This particular scam has since been removed by Facebook.

Facebook Scam 2.png

Figure 1....

Symantec Security Response | 16 Jul 2014 23:01:43 GMT

Despite Japan's isolated adoption of unique and sometimes incompatible technological standards, often described as Galapagosization, the country still seems to be open game when it comes to banking malware. Attacks on online banking are nothing new in Japan and the country has dealt with several prominent cases in the last year. For instance Infostealer.Torpplar targeted confidential information that was specific to Japanese online banks and credit cards, and variants of Infostealer.Bankeiya utilized various methods including zero-day vulnerabilities and exploit kits to target Japanese users. Japan's National Police Agency reported that US$11,840,000 was stolen in 2013 as a result of cybercrime and, as of May 9, 2014, US$14,170,000...

Satnam Narang | 15 Jul 2014 16:12:08 GMT

One year ago, we warned users about one of the first instances of adult webcam spam on the up-and-coming mobile dating application Tinder. We also warned about an impending flood of spam bots once an Android version was released. Now, a year later, we have observed a number of different spam campaigns using fake profiles to flirt with users of the service.

Adult webcam spam
The first spam campaign we identified ultimately set the tone for future campaigns. These spam bots claimed to offer an adult webcam session and asked users to click on a link to another website. The spammers iterated their efforts; modifying their scripts, switching short URL services (from goo.gl to bit.ly), and linking to different webcam sites. Eventually, these bots were set up to get users to...

Symantec Security Response | 10 Jul 2014 17:40:05 GMT

An international law enforcement operation has struck a major blow against the gang behind Shylock, one of the world’s most dangerous financial Trojans. The takedown, which was led by the UK National Crime Agency, resulted in the seizure of a command and control (C&C) servers, in addition to domains that Shylock uses for communication between infected computers.

Trojan.Shylock is designed to intercept online banking transactions and steal victims’ credentials. The gang behind it appears to be based in Russia or Eastern Europe and its main target is customers of UK banks. It has also hit financial institutions in a number of other European countries and the US. Shylock is more advanced than many other financial Trojans:

  • The attackers behind Shylock have an advanced, targeted...
himanshu_mehta | 08 Jul 2014 18:40:33 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing six bulletins covering a total of 29 vulnerabilities. Twenty-four of this month's issues are rated Critical.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the July releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14...

Binny Kuriakose | 04 Jul 2014 10:01:54 GMT

Contributor: Vijay Thawre

It’s a time of freedom and joy for Americans as the United States prepares to celebrate its 238th Independence Day on July 4 with fireworks, parades, music, and public events. However, like every other year, spammers are sending people a barrage of cleverly crafted spam aimed at exploiting this mood of celebration.

This year, Symantec has observed a variety of spam, ranging from fake Internet offers to pharmacy deals, which take advantage of the US Independence Day.

Travel promotion spam
In travel promotion spam campaigns, the spammer tries to lure customers with offers of premium travel arrangements for July 4. The spammer claims to offer chartered private jets, aiming to entice customers with the luxury of having a plane at their disposal. They also make a pitch for budget travelers as well. The spam message includes a link  to a page that asks users to enter their personal information....

Ankit Singh | 03 Jul 2014 17:01:17 GMT

On June 28, the popular video sharing website Dailymotion was compromised to redirect users to the Sweet Orange Exploit Kit. This exploit kit takes advantage of vulnerabilities in Java, Internet Explorer, and Flash Player. If the vulnerabilities were successfully exploited during the campaign, pay-per-click malware was then downloaded on the victim’s computer. This week, Dailymotion is no longer compromised, as users are currently not being redirected to the exploit kit.

We believe that the attackers compromised Dailymotion in order to target a large number of users. Dailymotion is in Alexa’s top 100 most popular websites list, so the attackers could have potentially infected a substantial amount of users’ computers with malware through this attack. We found that the campaign mainly affected Dailymotion visitors in the US and Europe.

...

Ankit Singh | 02 Jul 2014 08:46:25 GMT

Contributor: Karthikeyan Kasiviswanathan

Last week, it was reported that popular Web portal AskMen.com was compromised to redirect users to a malicious website that hosted the Nuclear Exploit Kit. Symantec has found during investigations that users were also redirected to the Rig Exploit Kit during this attack. Symantec has notified the owners of  the AskMen.com site about this compromise.

The Rig Exploit Kit was discovered a few months ago and mainly exploits vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight. We decided to take a closer look at how the exploit kit was used in this attack to find out what damage it could do to users’ computers.

Rig Exploit Kit’s features
To set up the attack, the attackers injected malicious JavaScript into the website...