Video Screencast Help

Security Response

Showing posts in English
Symantec Security Response | 06 Sep 2013 22:12:35 GMT

Targeted attacks are a daily occurrence and attackers are fast to employ the latest news stories in their social engineering themes. In a recent targeted attack, delivering a payload of Backdoor.Korplug and caught by our services, we observed an attacker taking advantage of a recently published article by the Washington Post in relation to chemical attacks in Syria. The attacker took the full text of the article and used it in their own malicious document in an effort to dupe victims into believing the document was legitimate.


Val S | 04 Sep 2013 19:19:19 GMT

Contributor: Roberto Sponchioni

Symantec Security Response has recently come across a new remote access tool (RAT) called Alusinus, which we detect as Backdoor.Alusins. The program was intended for the Spanish speaking underground and the builder itself is rather straightforward with several standard functions, although one function is interesting and is worth noting. The builder allows the RAT to inject itself into a clean process, such as calc.exe, svchost.exe, or notepad.exe in order to improve its chances of evading detection.

Spanish RAT 1.png

Figure 1. Backdoor.Alusins control panel – user name/computer name, AV and firewall information are reported back to attacker

Satnam Narang | 03 Sep 2013 17:35:39 GMT

Ahead of this week's G20 summit in Saint Petersburg, Russia, attackers are leveraging the meeting's visibility in targeted attacks.

One particular campaign we have identified is targeting multiple groups. They include financial institutions, financial services companies, government organizations, and organizations involved in economic development.


Figure 1. Email purporting to be from G20 Representative

The email purports to be sent on behalf of a G20 representative. The email continues:

Many thanks for circulating these updated building blocks. Please find the UK comments on these attached. I look forward to seeing you in St Petersburg soon....

Joji Hamada | 30 Aug 2013 07:56:51 GMT

Shortcut files have recently become a common vehicle used in targeted attacks to deliver malware into organizations. Symantec has observed a variety of ways shortcut files are being used to penetrate networks, such as the one described in a previous blog. We recently came across another example of how this file type is being used in an attempt to evade detection by security products and trick email recipients into executing attachments. In this variation, an email with disassembled malware attached is sent to a recipient along with a shortcut file used to reassemble the malware.

The email used for this attack included an archive file as an attachment containing a shortcut file with an icon of a folder along with a real folder containing a Microsoft document file and two hidden files with .dat file extensions.


Nick Johnston | 29 Aug 2013 08:24:31 GMT

As the international community coordinates its response to the deepening crisis in Syria, scammers have once again demonstrated their skill at using current, high-profile events to their advantage. We have previously covered these methods in regards to Egypt, Libya, and the Rugby World Cup.

We recently identified a scam message that claimed to be from The Red Cross. The message explains how the conflict is creating a humanitarian crisis and urges people to support The Red Cross and The Red Crescent.


Curiously, the email includes a link to the actual British Red Cross...

Symantec Security Response | 28 Aug 2013 07:00:30 GMT

In April 2013, the administrative assistant to a vice president at a French-based multinational company received an email referencing an invoice hosted on a popular file sharing service. A few minutes later, the same administrative assistant received a phone call from another vice president within the company, instructing her to examine and process the invoice. The vice president spoke with authority and used perfect French. However, the invoice was a fake and the vice president who called her was an attacker.

The supposed invoice was actually a remote access Trojan (RAT) that was configured to contact a command-and-control (C&C) server located in Ukraine. Using the RAT, the attacker immediately took control of the administrative assistant’s infected computer. They logged keystrokes, viewed the desktop, and browsed and exfiltrated files. 

These tactics, using an email followed up by a phone call using perfect French, are highly unusual and are a sign of...

Masaki Suenaga | 22 Aug 2013 20:31:29 GMT

We have been fighting the W32.Changeup family of worms for a long time and have written about it many times


Figure 1. W32.Changeup prevalence

One characteristic of W32.Changeup is that it is written in Microsoft Visual Basic 6.0 and the viral part of its program code is seen in the program file, but it may appear to be obfuscated. However, for the first time in W32....

Flora Liu | 21 Aug 2013 10:25:27 GMT

Although ransomware has become an international problem, we rarely see Chinese versions. Recently, Symantec Security Response noticed a new type of ransomlock malware that not only originates from China but also uses a new ransom technique to force users into paying to have their computers unlocked.

This threat is written in Easy Programming Language and is spread mostly through a popular Chinese instant messaging provider. Once a computer is compromised, the threat changes the login credentials of the current user and restarts the system using the newly created credentials. The login password is changed to “tan123456789” (this was hardcoded in the sample we acquired) but the malware author may update the threat and change the password. The account name is changed to “contact [IM ACCOUNT USER ID] if you want to know the password” (English translation)so that once the computer has restarted, and the user is unable to log in, they will see the account...

Ross Gibb | 20 Aug 2013 23:50:30 GMT

ZeroAccess has always distributed its malicious payloads to infected computers using a peer-to-peer protocol. The use of a peer-to-peer protocol removes the need to maintain centralized command-and-control (C&C) servers to distribute malicious payloads. In 2011, ZeroAccess’ peer-to-peer protocol communicated over TCP, but in the second quarter of 2012 the protocol was modified to use UDP. This was the last significant update to the ZeroAccess peer-to-peer protocol until June 29, 2013.

Symantec has been closely monitoring the ZeroAccess peer-to-peer networks since its discovery. On June 29, 2013, we noticed a new module being distributed amongst ZeroAccess peers communicating on the UDP-based peer-to-peer network that operates on ports 16464 and 16465. ZeroAccess maintains a second UDP-based network that operates on ports 16470 and 16471. ZeroAccess peers communicate to...

Satnam Narang | 20 Aug 2013 18:42:39 GMT

Instagram, the popular photo and video sharing service acquired by Facebook, is often a target for spam and scams, some of which we have written about over the past year. This week, a friend shared an in-stream advertisement for a program called Instagram for PC on his Facebook timeline. This application claims to run Instagram in an emulator, so that PC users can access the service without a phone.

Instascam 1 edit.png

Figure 1. Instagram for PC website

When trying to download a copy of Instagram...