Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Eric Park | 18 Feb 2014 18:34:22 GMT

In this blog detailing how spammers continue to change their messages in order to increase their success rate, we looked at the evolution of the same spam campaign from missed voicemail messages to spoofing various retailers, and then spoofing utility statements. Clicking on the link led the users to a download for a .zip file containing Trojan.Fakeavlock. Attackers may have realized that those attack vectors no longer entice recipients, so spammers have introduced two new schemes for this campaign that appear to be random and unrelated at first, but they do share a common goal.

The first scheme spoofs various courts around the country:


Symantec Security Response | 14 Feb 2014 23:58:13 GMT

In an earlier blog, Symantec highlighted that we were investigating reports of a zero-day exploit affecting Internet Explorer 10 in the wild. Now we have further details on the attack leveraging this new zero-day, Microsoft Internet Explorer CVE-2014-0322 Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322).

IE 0 day edit.png

Figure. Watering hole attack using IE 10 0-day

Anatomy of the attack

The target of this watering hole attack was the (Veterans of Foreign Wars) website. While this attack was active, visitors to the site would encounter an IFrame which was inserted by the attackers in order to...

Symantec Security Response | 14 Feb 2014 00:30:09 GMT

Symantec is currently investigating reports of a potential zero-day exploit affecting Internet Explorer 10 in the wild. This appears to be a watering hole attack that was hosted on a compromised website in the United States. The watering hole attack website redirected unsuspecting users to another compromised website that hosted the zero-day attack.

We continue to analyze the attack vector and associated samples for this potential zero-day. Our initial analysis reveals that the Adobe Flash malicious SWF file contains shell code that appears to be targeting 32-bit versions of Windows 7 and Internet Explorer 10. We have identified a back door being used in this attack that takes screenshots of the victim’s desktop and allows the attacker to take control of the victim’s computer. We identify and detect this file as Backdoor.Trojan.

Symantec also has the following IPS...

Satnam Narang | 12 Feb 2014 18:59:14 GMT

In the latest Snapchat spam developments, an increasing number of the photo-sharing app’s users have been sending out spam pictures of fruits or fruit-based drinks to their contacts, which directs them to websites called “Frootsnap” and “Snapfroot”.

Snapchat Fruit 1 edit.png

Figure 1. Fruit spam on Snapchat

While Symantec has been tracking Snapchat spam for months, this is the first case in which the spam does not originate from fake accounts, but those belonging to real users. These accounts have been compromised to push diet spam.

Instagram users might recall similar...

Dinesh Theerthagiri | 11 Feb 2014 19:49:38 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of thirty-one vulnerabilities. Twenty-five of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the February releases can be found here:

The following is a breakdown of the issues being...

Eric Park | 11 Feb 2014 17:55:34 GMT

One of the most popular methods of spamming is snowshoe spam, also known as hit and run spam. This involves spam that comes from many IP addresses and many domains, in order to minimize the effect of antispam filtering. The spammer typically sends a burst of such spam and moves to new IP addresses with new domains. Previously used domains and IP addresses are rarely used again, if ever.

Some spammers like to use a similar pattern across their spam campaigns. This blog discusses a particular snowshoe spam operation that I have labeled “From-Name snowshoe”. While there are other features in the message that allow the campaigns to be grouped into the same bucket, the messages’ most distinct feature is that all of the email addresses that appear in the “from” line use real names as their usernames. 

  • From: [REMOVED] <Leila.Day@[REMOVED]>
  • From: [REMOVED] <CharlotteTate@[REMOVED]>
  • From: [REMOVED] <Diana.Pope@[REMOVED]>
  • ...
Stephen Doherty | 10 Feb 2014 18:50:53 GMT


The Mask 1.png

Modern cyberespionage campaigns are regularly defined by their level of sophistication and professionalism. “The Mask”, a cyberespionage group unveiled by Kaspersky earlier today, is no exception. Symantec’s research into this group shows that The Mask has been in operation since 2007, using highly-sophisticated tools and techniques to compromise, monitor, and exfiltrate data from infected targets. The group uses high-end exploits and carefully crafted emails to lure unsuspecting victims. The Mask has payloads available for all major operating systems including Windows, Linux, and Macintosh.

An interesting aspect of The Mask is the fact that they are targeting the Spanish-speaking world and their tools have...

Christian Tripputi | 07 Feb 2014 13:13:29 GMT

The biggest bank robbery of all time was identified in Brazil in 2005. In this case, a gang broke into a bank by tunneling through 1.1 meters of steel and reinforced concrete and then removed 3.5 tons of containers holding bank notes. This heist resulted in the loss of about 160 million Brazilian dollars (US$380 million).

Robbers today, however, don’t have to bother with drilling through walls to steal money. They can rob a bank while sitting comfortably at home behind a computer. Thanks to cybercrime, organizations have suffered financial losses in the order of millions. The Symantec State of Financial Trojans 2013 whitepaper shows that banking Trojans are becoming more prevalent. Apart...

Satnam Narang | 06 Feb 2014 15:59:32 GMT


Whether it’s National Cyber Security Awareness Month in October or Safer Internet Day in February, it’s always important to remember to be safe online every day. As technology continues to become more integrated into our daily lives, there are settings and security features that can be used to ensure your information and digital identity remain under your control.

It’s a social world
The most dominating force on the Internet today is social. Right now, I have friends pinning their wedding ideas, instagramming lattes, snapchatting outfits, checking into restaurants on Foursquare, vining videos of their cats, sharing newborn baby photos on Facebook, and tweeting in anticipation of The Walking Dead premiere. As these services become more and more popular, they are targeted more frequently by scams, spam, and phishing attempts.


Gavin O Gorman | 06 Feb 2014 13:27:47 GMT


On January 23, CERT Polska posted a blog describing a piece of minimalist banking malware targeting Polish citizens. The hashes of several samples of the malware were also listed in the blog. Symantec subsequently broke out a new name for this malware, calling it Trojan.Banclip. Using Symantec telemetry it’s possible to understand more about the distribution of this malware, and what else the attackers responsible for the malware may be up to. It is also an opportunity to clear up some misconceptions about malware scanning services.

Related activity
Symantec recorded a variant of Trojan.Banclip being downloaded from a Polish website, zeus[REMOVED], on January 14, 2014. At least...