Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Symantec Protects Against Files Misusing Adobe Code Signing Certificate
Joji Hamada | 28 Sep 2012 07:21:33 GMT | 0 comments

On September 27, Adobe posted a blog stating that the company is investigating the inappropriate use of an Adobe code signing certificate for the Windows operating system.  Symantec is aware of this issue and has added protection to detect any unauthorized file signed by the Adobe certificate in question as Trojan.Abe. We are currently aware of two utilities totaling three files that appear to come from one particular source signed by this certificate. One is a password dump tool that is available publicly and another is an ISAPI filter that redirects internet traffic on a Web server that, to our knowledge, is not publicly available. Details of the files are listed below:

PwDump7.exe

MD5 hash: 130F7543D2360C40F8703D3898AFAC22

Signature...

Read more
Fake Antivirus App Steals Contact Data on Mobile Devices
Joji Hamada | 25 Sep 2012 17:03:35 GMT | 0 comments

The authors of Android.Enesoluty have added another app to their repertoire. The new app is called “Safe Virus Scan” in Japanese, and as the name suggests, it is supposed to function as an antivirus app. However, as you might have guessed, it does not contain any antivirus functionality and the only action it performs is to steal personal data.

Previous variants displayed messages stating that the app was incompatible with the device. However, unlike its predecessors, this app appears as though it actually functions as advertised.
 

Figure 1. Fake scan run by malicious app
 

By the time the scan is complete, the app has...

Read more
Blackhole 2.0 Exploited to Push Advertisements
Andrea Lelli | 20 Sep 2012 14:29:21 GMT | 0 comments

The popular Blackhole Exploit Kit has gained a lot of media attention recently when its author announced the imminent release of version 2.0, boasting a list of new interesting features. Recently we were very surprised when we found a website hosting what is supposed to be version 2.0 of the Blackhole Exploit Kit. Naturally, we started investigating and soon discovered that something about the website was not right.
 

Figure 1. The (suspicious) statistics page of the exploit kit
 

Looking at Figure 1, you can see a label at the bottom of the page clearly saying Blackhole v.2.0, but apart from this difference, the rest of the page looks very similar to the old version:
 

...

Read more
Trojan.Taidoor: Balancing the Scales
Satnam Narang | 19 Sep 2012 22:21:45 GMT | 0 comments

Contributor: Jeet Morparia

A few weeks ago, we wrote about the Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2012-4681) being used in a targeted attack campaign by the Nitro attackers. Recently, we have discovered another group exploiting this vulnerability in the wild: the Taidoor attackers.

The Taidoor attackers began utilizing the vulnerability when the proof of concept (POC) began to circulate. On August 28, we discovered the malicious file Ok.jar (Trojan.Maljava!gen24) exploiting the CVE-2012-4681 vulnerability. If successfully exploited, an executable payload, Javaupdate.exe, will be dropped...

Read more
Malware Uses Google Go Language
Flora Liu | 18 Sep 2012 21:50:05 GMT | 0 comments

Designed in 2007 and introduced in late 2009, the Go programming language developed by Google has been gaining momentum the past three years. It is now being used to develop malware. Recently seen in the wild, Trojan.Encriyoko is a new threat associated with components which are written in Go. The Trojan attempts to encrypt various file formats on compromised computers, rendering the encrypted files unusable.

The original sample we acquired, a file named GalaxyNxRoot.exe, is actually a dropper written in .NET which disguises itself as a rooting tool to trick users into installing it.
 

Figure 1....

Read more
New Internet Explorer Zero-Day Vulnerability Exploited in the Wild
Branko Spasojevic | 17 Sep 2012 19:27:12 GMT | 0 comments

Contributor: Lionel Payet

Eric Romang has released a blog about the Microsoft Internet Explorer Image Arrays Remote Code Execution Vulnerability, a possible zero-day vulnerability in Internet Explorer that is being exploited in the wild. Microsoft has confirmed this vulnerability affects Internet Explorer 9, Internet Explorer 8, Internet Explorer 7, and Internet Explorer 6 browsers.

The exploit is made up of four main components:

  1. The Exploit.html file is the starting point responsible for setting up the exploit. After setting up necessary conditions for the vulnerability it will invoke the Moh2010.swf file.
    • Symantec detects this stage as...
Read more
Sun Charger, the Latest Android.Sumzand Variant, Continues the Massive Spam Campaign
Joji Hamada | 17 Sep 2012 15:24:10 GMT | 0 comments

Android.Sumzand, currently one of the most active malware programs in Japan, has recently transformed itself into the “Sun Charger” app. Advertised through spam, this series of variants pretending to be apps that allow mobile devices to be charged by holding the display towards the sun has been quite successful in stealing contact details from a large number of users. As the scammers collect large volumes of data stored on the device, they send more spam advertising the fake apps to the email addresses that they have acquired. The number of recipients of the spam is increasing exponentially as each day passes by.

Because this particular spam campaign has become so huge, it is a heavily discussed topic on Internet forums and social-networking sites. Some users question if anyone would even fall for the trick, whilst others who have never received spam in the past are...

Read more
Have I Got Newsforyou: Analysis of Flamer C&C Servers
Symantec Security Response | 17 Sep 2012 13:03:57 GMT | 0 comments

W32.Flamer is a sophisticated cyber espionage tool which targeted the Middle East. News of its existence hit the headlines earlier in 2012. Symantec, has performed a detailed forensic analysis of two of the command-and-control (C&C) servers used in the W32.Flamer attacks earlier this year.

The servers were set up on March 25, 2012, and May 18, 2012, respectively.  On both occasions, within only a few hours of the server being setup, the first interaction with a computer compromised with Flamer was recorded. The servers would go on to control at least a few hundred compromised computers over the next few weeks of their existence.

The analyzed servers contain the same control framework, but they were used for distinct purposes. The server that was set...

Read more
Phishers Kick Off 2014 FIFA World Cup
Mathew Maniyara | 13 Sep 2012 20:09:55 GMT | 0 comments

Co-Author: Ashish Diwakar

The next FIFA World Cup is scheduled to take place in June 2014 in Brazil and phishers have already taken the opportunity to promote the event. World Cups are a favorite of phishers, as observed in the phishing sites focused on the 2010 FIFA World Cup and the 2011 Cricket World Cup. In September 2012, phishing sites spoofed a popular Brazilian credit and debit card company using the 2014 FIFA World Cup as bait.
 


 

The phishing sites were in Brazilian Portuguese. A number of the phishing sites featured Brazilian footballer Neymar da...

Read more
Microsoft Patch Tuesday - September 2012
Candid Wueest | 11 Sep 2012 16:57:35 GMT | 0 comments

Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing two bulletins covering a total of two vulnerabilities. None of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available
  • Run all software with the least privileges required while still maintaining functionality
  • Avoid handling files from unknown or questionable sources
  • Never visit sites of unknown or questionable integrity
  • Block external access at the network perimeter to all key systems unless specific access is required

Microsoft's summary of the September releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms12-Sep

The following is a breakdown of the issues...

Read more