Video Screencast Help

Security Response

Showing posts in English
Satnam Narang | 01 Jul 2013 17:18:14 GMT

Over the last few years, we’ve reported on a number of spam campaigns spreading through various social networking sites and applications. As with any social service, as it becomes popular, spammers look for ways to take advantage of this popularity by targeting the users of these services.

I’ve previously blogged about the popularity of online dating sites and highlighted an example of a malicious campaign using...

Jenny Chen | 01 Jul 2013 15:20:55 GMT

After the annual National College Entrance Examination (NCEE), Chinese high school graduates are now busy choosing a college and filling out college applications. The college picks are no trivial matter; it determines matriculation.

Phishers also do not want to miss out on this event and the opportunity to profit. If a candidates’ personal information is stolen by phishers, the victim and their parents can expect to receive a large number of spam messages or annoying phone calls—including civil college and overseas educational agencies advertising, or even attempts at financial fraud. Phishing websites may even make a candidate mistakenly think they have completed an application to a college—but, actually, they did not—which directly affects the candidate's future at this important juncture in their life. In addition, the candidate's information will be sold for profit to overseas educational agencies, fake credentials makers, or re-...

Kazumasa Itabashi | 01 Jul 2013 11:06:45 GMT

Recently there has been a lot of attention drawn to the vulnerabilities in Java and how they can lead to malware being created. However, it is worth noting that a vulnerability is not always required for malware to exist, as is the case with Java.Cogyeka. While this threat does not exploit any vulnerability in Java itself, it is written in the Java language and performs numerous malicious activities, which I intend to explore throughout this series of blogs.

Java.Cogyeka was discovered in July 2012 and is still active now. This malware has five features, which I have broken down into the following categories:

  1. Propagation through autorun.inf
  2. Stealth techniques
  3. Downloader functionality
  4. Obfuscation
  5. Infostealer functionality

Other Java malware we have seen does not have this...

Symantec Security Response | 28 Jun 2013 13:47:18 GMT

On June 26 2013, browser manufacturer Opera announced that they had been breached as a result of a targeted attack against their infrastructure. However, this was no ordinary targeted attack. The attackers in this case weren't looking to steal intellectual property. They wanted to use Opera's auto-update mechanism in order to propagate a piece of malware normally associated with financial Trojans.

When attackers breached the Opera network sometime around June 19 2013, they first stole an expired Opera code signing certificate to sign a piece of malware. Signing the malware allowed them to distribute it via Opera's auto-update mechanism. Users would receive the malware as part of a browser update. The malware in question is Downloader.Ponik, a downloader Trojan...

Symantec Security Response | 27 Jun 2013 20:04:25 GMT

Yesterday, Symantec published details about a new distributed denial-of-service (DDoS) attack carried out by a gang dubbed "DarkSeoul" against South Korean websites. We identified their previous attacks against South Korea, including the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters. As a result of our continued investigations into attacks against South Korea, we have come across a new threat—detected as Trojan.Korhigh—that attempts to perform a similar wiping action.

Similar to previous...

Ashish Diwakar | 27 Jun 2013 15:55:35 GMT

Contributor: Avdhoot Patil

As usual, phishers continue to focus on social networking as a platform for their phishing activities. Fake social networking applications on phishing sites are not uncommon. Phishers continue to come up with new fake applications for the purpose of harvesting sensitive information.

In the past six months, phishing on social media sites consisted of 6.9 percent of all phishing activity. Among the phishing sites targeting social media, 0.9 percent consisted of fake applications offering features such as adult videos, video chatting, adult chatting, free mobile recharge etc.

In May 2013, phishers implemented a fake security application on a phishing site that claimed to secure Facebook Fan Pages and thereby increase the “social security” of the user profile. A Facebook Fan Page is important, as it is a public profile on Facebook that can be used by celebrities, companies, and also by  regular Facebook users who...

Symantec Security Response | 26 Jun 2013 23:05:46 GMT

Today we released a new version of Norton Mobile Security for Android devices that contains our new Norton Mobile Insight technology. Mobile Insight has analyzed over 4 million Android applications and processes tens of thousands of new applications every day. Through automatic and proprietary static and dynamic analysis techniques, Mobile Insight is able to automatically discover malicious applications, privacy risks, and potentially intrusive behavior. Further, Mobile Insight will tell you exactly what risky behavior an application will perform and give you specific, relevant, and actionable information.

The ability of Mobile Insight to automatically provide granular information on the behavior of any Android application even surprised us when we reviewed the most popular applications exhibiting privacy leaks. 

Of particular note, Mobile Insight automatically flagged the...

Symantec Security Response | 26 Jun 2013 22:33:21 GMT

Yesterday, June 25, the Korean peninsula observed a series of cyberattacks coinciding with the 63rd anniversary of the start of the Korean War. While multiple attacks were conducted by multiple perpetrators, one of the distributed denial-of-service (DDoS) attacks observed yesterday against South Korean government websites can be directly linked to the DarkSeoul gang and Trojan.Castov.

We can now attribute multiple previous high-profile attacks to the DarkSeoul gang over the last 4 years against South Korea, in addition to yesterday’s attack. These attacks include the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters, as well as the...

Candid Wueest | 26 Jun 2013 15:55:36 GMT

Google has started to scan newly uploaded applications and extensions in its Chrome Web Store, similar to what they already do in the Android Play Market.

We have written about quite a few cases where malicious extensions were pushed on social network users. Usually they claim to add a new functionality to the social network, like seeing who visited your profile. Not all of them are hosted on the official Chrome Web Store, so the new process will not stop all malicious extensions finding their way to the user. That being said, Symantec welcomes Google’s effort to remove malicious Chrome extensions as soon as possible and the improvements that were made to their automated system to help them detect items containing malware.

Malicious extensions for browsers...

Candid Wueest | 26 Jun 2013 15:24:17 GMT

The federal Office for Information Security in Germany (BSI) together with the “Fraunhofer SIT” and “]init[ AG” released a study on the risk with common content management systems (CMS) for websites. A CMS is typically used to administrate websites and helps to update text and other content in a simple way, making this task doable for non-IT professionals. Unfortunately, it is also often a focus point for attackers who attempt to gain access to the Web server. When an attacker controls the CMS, it is possible for them to modify the website. In the past, many websites have been compromised through vulnerabilities in un-patched CMS and were then turned into drive-by download sites by inserting malicious iFrames into the...