Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Upswing in Ransomware Activity
Symantec Security Response | 28 Jan 2013 04:44:17 GMT | 0 comments

As we predicted toward the end of last year, we are once again seeing an upswing in ransomware activity in 2013. The ransomware extortion scam has been in existence now for a number of years but its popularity among cybercriminals has grown over the last two years and it continues to indiscriminately plague computer users in greater numbers. Symantec has tracked this growing menace in various blogs, a whitepaper, and a video.

In the last week Symantec has observed a new spike in ransomware activity being seen worldwide. While several variants of the ransomware threat are responsible for the overall spike, the main ransomware variant being observed is...

Read more
Trojan Horse Using Sender Policy Framework
Takashi Katsuki | 25 Jan 2013 21:20:27 GMT | 0 comments

It is important for malware authors to keep a solid network connection between their malware on compromised computers and their own servers so that the malware can receive commands and be updated. However, communication between the malware and the malware servers may be filtered by a gateway or local firewall, or blocked by an intrusion prevention system (IPS). Consequently, malware authors try to find more secure methods of providing communication between the malware and the servers. For example, I wrote a blog last November detailing how Backdoor.Makadocs uses the Google docs viewer function as a proxy to maintain a solid connection between the malware and its servers. More recently, I discovered a Trojan horse that uses Sender...

Read more
MDK: The Largest Mobile Botnet in China
Flora Liu | 24 Jan 2013 03:05:39 GMT | 0 comments

In February 2012, we blogged about Android.Bmaster (a.k.a. Rootstrap), which infected hundreds of thousands of devices. At that time, it was the largest mobile botnet documented to date. Recently, the Bmaster botnet has been overtaken by the newly uncovered MDK botnet. Dubbed as Android.Troj.mdk, Kingsoft believes it is hidden in more than 7,000 apps and has infected up to one million devices.

Symantec’s analysis suggests the MDK Trojan is a new variant of Android.Backscript. Our detection for this threat family has been in place since September 2012. The code of MDK is very similar to Android.Backscript and they use the same certificate to...

Read more
Trojan.Pandex – A New Spam Affair
Santiago Cortes | 24 Jan 2013 00:42:20 GMT | 0 comments

Contributor: Lionel Payet

Last week we saw how W32.Waledac was getting cozy with W32.Virut, but let us not forget about other spam botnets, like Trojan.Pandex (a.k.a. Cutwail), as they also persist in their propagation affairs.

The people behind W32.Cridex have used many attack vectors to spread the malware, including taking advantage of exploit kits like Blackhole, or attempting to deceive users with crafted PDF documents. This month they have managed to compose a more elaborate attack.

The attackers have...

Read more
Downloader Targets Down Under
Val S | 22 Jan 2013 20:18:13 GMT | 0 comments

At the time of this blog post, and for the past five days, we have noticed an increase in spam containing malware that targets Australians. The attackers behind this malicious spam campaign appear to have no specific target in mind other than compromising a large base in Australia for reasons still unknown. Symantec Security Response has observed two separate versions of this campaign purporting to be from Australian organizations and targeting Australian users.

In this following example, an email pretends to be from the "Australian Taxation Office" with the subject line "Tax Agent Report – Delayed Tax Returns" and contains a 'Tax Report.zip' attachment file. Inside the zip file is a TaxReport.xls.exe malicious executable file.
 

...

Read more
Android.Exprespam Potentially Infects Thousands of Devices
Joji Hamada | 21 Jan 2013 15:08:37 GMT | 0 comments

Android.Exprespam was discovered at the beginning of January and has only been around for about two weeks, but the scammers seem to be having a lot of success with the malware already.  Symantec has acquired some data that has allowed us to get an idea of how successful Exprespam may be in scamming Android users into providing personal data. The data obtained, which is only a portion of the complete data, indicates that the fake market called Android Express’s Play has drawn well over 3,000 visits in a period of a week from January 13 to January 20.

Based on several sources*, I calculated that the scammers may have stolen between 75,000 and 450,000 pieces of personal information.

Figure 1. ...

Read more
Symantec Protections for Red October
Symantec Security Response | 16 Jan 2013 19:37:49 GMT | 0 comments

An advanced cyber-espionage network targeting high-profile organizations and governments has recently been unveiled. The main attack method being used in this campaign is spear phishing.

The spear phishing emails contain Word document or Excel spreadsheet attachments that exploit three known vulnerabilities in order to compromise computers. The vulnerabilities used are:

Read more
Faux Cash Prize for Christmas
Mathew Maniyara | 15 Jan 2013 23:52:15 GMT | 0 comments

Contributor: Ayub Khan

Phishers consider special occasions as an opportunity to strike at end users and Christmas has always been a favorite for phishers to introduce new phishing baits. For this past Christmas, phishers created a phishing site pretending to be a popular payment system based in the USA. Phishers used a typosquatting domain hosted on servers based in the Netherlands.

The phishing site began by stating that the user was chosen as the winner of a $400 cash prize. Users were told that ten winners were given the prize every year for Christmas. To receive the prize, visitors were prompted to enter the verification code they received by email. There is poor language used in the phishing site, evident from the misspelled “recieve” in the message.
 

...

Read more
Waledac Gets Cozy with Virut
Denis Carmody | 14 Jan 2013 22:53:52 GMT | 0 comments

Recently, we blogged about the file-infector virus known as W32.Virut and the botnet’s return to distributing new payloads. In the blog, we estimated that the Virut botnet currently consists of 308,000 unique Virut clients active in a single day. It was also noted that Virut had been observed distributing payloads with the functionality to send out email spam for advertisements and fraud as well as other malicious purposes.

During our further analysis of recent Virut samples, we observed the virus downloading a botnet variant named Waledac (also know Kelihos), which Symantec detects as W32.Waledac.D. The ...

Read more
Android.Exprespam Authors Revamp Gcogle Play to Android Express’s Play
Joji Hamada | 14 Jan 2013 17:00:37 GMT | 0 comments

When Android.Exprespam was discovered earlier this month, we quickly posted a blog warning users about the malware and discussing the details of the attack. Word spread quickly as the media, as well as the local authorities, pushed the news out to a wide audience. It seems like the scammers thought the news had reached enough people and that it was time they updated the malware and the fake market in order to start their attack afresh with new content that people are not familiar with.

The new fake market is called ANDROID EXPRESS’s PLAY (ANDROID EXPRESSのPLAY in Japanese). According to the site, it is maintained by Gcogle.

...

Read more