Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Symantec Security Response | 20 Nov 2014 17:14:00 GMT | 0 comments

As Americans gear up for another holiday shopping season, the threat posed by point-of-sale malware remains high. More than a year after the discovery of the first major attacks against POS networks, many US retailers are still vulnerable to this type of attack and are likely to remain so until the complete transition to more secure payment card technologies in 2015. 

While some retailers have enhanced security by implementing encryption on their POS terminals, others have not and retailers will continue to be a low-hanging fruit for some time. While the introduction of new technologies will help stem the flow of attacks, it will not eliminate fraud completely and attackers have a track record of adapting their methods. 

Point-of-sale malware is now one of the biggest sources of stolen payment cards for cybercriminals. Although it hit the headlines over the past year, the POS malware threat has been slowly germinating since 2005 and the retail industry...

Symantec Security Response | 13 Nov 2014 23:44:03 GMT


Each year, as world leaders come together to discuss a variety of global economic issues at the G20 summit, organizations with a vested interest in the event are the recipients of malicious emails from threat actors.

This year, the summit will be held in Brisbane, Australia on November 15 and 16 and a specific attack group, which we call Flea, has been circulating malicious emails throughout 2014 in anticipation of the event. Targets include an international economic organization as well as a group connected to multiple monetary authorities. Once the attackers have compromised their target’s computers, they identify and steal valuable information from them.

Who is the Flea attack group?
The Flea attackers have been active since at least 2010 when they sent a decoy document to target those...

Kevin Haley | 13 Nov 2014 09:56:12 GMT


With such an array of security incidents in 2014—from large-scale data breaches to vulnerabilities in the very foundation of the web—it’s difficult to know which to prioritize. Which developments were merely interesting and which speak of larger trends in the online security space? Which threats are remnants from the past and which are the indications for what the future holds?

The following are four of the most important developments in the online security arena over the past year, what we learned (or should have learned) from them, and what they portend for the coming year.

The discovery of the Heartbleed and ShellShock/Bash Bug vulnerabilities
In spring 2014, the Heartbleed vulnerability was discovered....

Symantec Security Response | 13 Nov 2014 05:49:55 GMT

JustSystems has issued an update to its Ichitaro product line (Japanese office suite software), plugging a zero-day vulnerability. The Multiple Ichitaro Products Unspecified Remote Code Execution Vulnerability (CVE-2014-7247) is being actively exploited in the wild to specifically target Japanese organizations.

The exploit is sent to the targeted organizations through emails with a malicious Ichitaro document file attached, which Symantec products detect as Exp.CVE-2014-7247. Payloads from the exploit may include Backdoor.Emdivi, Backdoor.Korplug, and...

PraveenSingh | 11 Nov 2014 23:14:08 GMT

ms-tuesday-patch-key-concept-white-light 2_0.png

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing fourteen bulletins covering a total of 33 vulnerabilities. Fourteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required...
Liam O Murchu | 11 Nov 2014 08:00:14 GMT

Today, Kim Zetter released her book, “Countdown to Zero Day”. The book recounts the story of Stuxnet’s attempt to sabotage Iran’s uranium enrichment program. The work that Eric Chien, Nicolas Falliere, and I carried out is featured in the book. During the process of writing the book, Kim interviewed us on many occasions and we were lucky enough to be able to review an advanced copy.

Figure 1. Kim Zetter’s new book, “Countdown to Zero Day”

In chapter 17 of the book, “The Mystery of the Centrifuges”, Kim talks about how Stuxnet infections began in Iran, identifying several companies where she believes the infections originated.

“To get their weapon into the plant, the attackers launched an offensive against four companies. All of the companies were involved in industrial control processing of some sort, either manufacturing products or...

Lionel Payet | 07 Nov 2014 18:40:02 GMT

Ransomlock 1.jpg

What’s true for businesses is also true for scams and malware−to remain successful, they must evolve and adapt. Sometimes, ideas or methods are borrowed from one business model and used in another to create an amalgamation. After all, some of the best creations have come about this way; out of ice-cream and yogurt was born delicious frogurt, and any reputable hunter of the undead will tell you the endless benefits of owning a sledge saw. Cybercriminals responsible for malware and various scams also want their “businesses” to remain successful and every now and again, they too borrow ideas from each other. We recently came across an example of this when we discovered a technical support phone scam that uses a new ransomware...

Symantec Security Response | 06 Nov 2014 21:01:30 GMT


Symantec Security Response is currently investigating OSX.Wirelurker, a threat that targets Apple computers running Mac OS X and Apple devices running iOS. WireLurker can be used to steal information from compromised iOS devices.

Figure. Maiyadi App Store

WireLurker was discovered on the Maiyadi App Store, a third-party app store in China. The threat is Trojanized into pirated Mac OS X applications. Once a pirated application has been downloaded onto a computer running OS X, WireLurker...

Ankit Singh | 04 Nov 2014 11:02:49 GMT


On October 27, while tracking exploit kits (EKs) and infected domains, Symantec discovered that the popular music news and reviews website was redirecting visitors to the Rig exploit kit. This exploit kit was discovered earlier this year and is known to be the successor of another once popular EK, Redkit. The Rig EK takes advantage of vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight and was also one of the EKs associated with the compromise back in June.

At the time of writing, the website was no longer compromised....

Symantec Security Response | 01 Nov 2014 00:11:56 GMT

Symantec Security Response has seen an increase in the number of reports related to a threat known as Trojan.Poweliks. Poweliks is unique when compared to traditional malware because it does not exist on a compromised computer as a file. Instead, it is located in a registry subkey that is found within the computer’s registry.

Poweliks 1 edit.png
Figure. Trojan.Poweliks registry subkey

While Trojan.Poweliks is unique in how it resides on a computer, it can arrive on a computer through more common methods, such as malicious spam emails and exploit kits. Once on the compromised computer, Trojan.Poweliks can then receive commands from the remote attacker.

Poweliks has reportedly been delivered through malicious spam emails that claim...