Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Loozfon Malware Targets Female Android Users
Joji Hamada | 23 Aug 2012 23:18:38 GMT | 0 comments

When it comes to targeting the sexes, generally malware has targeted men by enticing them to view videos or pictures of sexual content—Android malware is no different. For instance, Android.Oneclickfraud attempts to coerce a user into paying for a pornographic service and certain Android.Opfake variants are designed to allow users to view adult videos, but secretly send SMS texts to premium-rate numbers in the background. Recently, however, Symantec discovered Android.Loozfon, a rare example of malware that targets female Android users.

A group of scammers is attempting to lure female Android users in Japan into downloading an app by sending emails stating how the recipient can easily make...

Read more
CVE-2012-1535: Adobe Flash Player Vulnerability Exploited with Multiple Emails
Bhaskar Krishna | 21 Aug 2012 21:12:17 GMT | 0 comments

As we are all aware, Adobe released security updates for Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh, and Linux. These security updates address the Adobe Flash Player CVE-2012-1535 Remote Code Execution Vulnerability that could cause the application to crash and potentially allow an attacker to take control of the compromised computer. Adobe has also stated that there are reports of the vulnerability being exploited in the wild in limited targeted attacks distributed through malicious Word documents.

We have observed these threats since August 10, 2012, and to-date we have successfully blocked more than 1,300 samples. The first sample...

Read more
Crisis for Windows Sneaks onto Virtual Machines
Takashi Katsuki | 20 Aug 2012 21:37:24 GMT | 0 comments

Symantec reported new malware for Mac last month that we called OSX.Crisis. Kaspersky then reported that it arrives on the compromised computer through a JAR file by using social engineering techniques.

The JAR file contains two executable files for both Mac and Windows. It checks the compromised computer’s OS and drops the suitable executable file. Both these executable files open a back door on the compromised computer. However, we found two special functions in the Windows version of the threat that Symantec detects as W32.Crisis.

The threat uses three methods to spread itself: one is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device.
 

...

Read more
iPhone 5 Rumors Used as Bait for Adobe Exploit CVE-2012-1535
Lionel Payet | 20 Aug 2012 14:47:05 GMT | 0 comments

Thanks to Santiago Cortes for his assistance with this research.

Some samples exploiting the Adobe Flash Player CVE-2012-1535 Remote Code Execution Vulnerability through malicious Word documents have been captured. These samples were observed on Adobe Flash Player 11 Active X, version 11.0.1.152.

The attackers spread the malicious Word documents through email and entice their victims with file names referencing Apple's iPhone.

The .doc files attached to the email contain hidden malicious .swf files. The .swf files then drop more files onto the compromised computer, which are then opened, for example:

  • %Temp%\~WRD0001.doc           
  • %Temp%\Word8.0\ShockwaveFlashObjects.exd
  • %Temp%\Word8.0\...
Read more
Exploitation of Java Vulnerabilities
Chintan Trivedi | 16 Aug 2012 16:18:28 GMT | 0 comments

Java SE is a platform-independent programming language. It is used on all operating systems – Windows and *nix-based, which increases the scope of exploiting a security vulnerability in Java. I will examine two critical Java security vulnerabilities exploited in the wild during the last few months.

Applets in a sandbox

Java applets use a sandbox, which restricts them from accessing privileged operating system functionality and some privileged Java code. An applet developed by any programmer can therefore run safely in the browser without performing any malicious activities on the computer because applets are not permitted to do things like explicitly read or write from the file system or create network connections to external hosts. Attackers who exploit Java vulnerabilities escape the restrictions of the sandbox and are free to execute arbitrary code. This has potentially devastating effects on a computer.

Exploitation of Java security...

Read more
The Shamoon Attacks
Symantec Security Response | 16 Aug 2012 15:37:11 GMT | 0 comments

W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector.  It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable.

W32.Disttrack consists of several components:

  1. Dropper—the main component and source of the original infection. It drops a number of other modules.
  2. Wiper—this module is responsible for the destructive functionality of the threat.
  3. Reporter—this module is responsible for reporting infection information back to the attacker.

     

Dropper Component

The Dropper component performs the following actions:

  • Copies itself to %System%\trksvr.exe
  • Drops the following files embedded into resources:
    • A 64-bit version of the dropper component: %System%\trksrv.exe (...
Read more
Call Cheater Lite Cheats on You
Symantec Security Response | 15 Aug 2012 21:07:32 GMT | 0 comments

Symantec has found a privacy-infringing application called Call Cheater Lite previously distributed on Google Play that may also result in unwanted SMS charges . The purpose of this app is to block unwanted phone calls from certain individuals (debt collectors, ex-girlfriends and boyfriends, etc.) by giving the owner of the phone the ability to play any sound or pre-recorded message to an offensive or unwanted caller. According to the application description, the user can configure the app to play a pre-recorded message or sound to make the caller believe that the phone is disconnected or out of service.


 

While that sounds like a good idea at first (especially if you are annoyed by a constant barrage of unwanted calls), this application also sends out the following information:...

Read more
Trojan.Zeroaccess.C Hidden in NTFS EA
Mircea Ciubotariu | 14 Aug 2012 19:36:01 GMT | 0 comments

The latest variant of the Zeroaccess Trojan—Trojan.Zeroaccess.C—makes use of a novel technique to store its malicious content: it exploits a feature provided by the NT File System called Extended Attributes (EA).

Even before Zeroaccess.C, malware authors have been looking for new ways to hide their malicious creations by making use of a specialized API provided by the file system. Two notable examples are the use of Alternate Data Streams (ADS) and Encrypted File System (EFS).

Trojan.Zeroaccess.C uses ZwSetEaFile to write the malicious payload into the EA data of the file %System%\services.exe and ZwQueryEaFile respectively to retrieve and execute it. The threat patches the code to read and execute the EA data directly into the services.exe file by overwriting a portion of the original initialization code:
 

...

Read more
Microsoft Patch Tuesday - August 2012
Candid Wueest | 14 Aug 2012 17:42:43 GMT | 0 comments

Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing nine bulletins covering a total of 26 vulnerabilities. Twenty-one of this month's issues are rated ’Critical’. The Critical issues affect Windows common controls, Internet Explorer, Remote Desktop Protocol (RDP), Print Spooler service, Remote Administration Protocol (RAP), and Microsoft Exchange Server.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available
  • Run all software with the least privileges required while still maintaining functionality
  • Avoid handling files from unknown or questionable sources
  • Never visit sites of unknown or questionable integrity
  • Block external access at the network perimeter to all key systems unless specific access is required

Microsoft's summary of the August releases can be found here...

Read more
Exprez.B Train from Spain to Holland, a.k.a. Dorifel
Santiago Cortes | 14 Aug 2012 16:23:07 GMT | 0 comments

Thanks to Denis Carmody for his assistance with this research.

In June we blogged about a new version of the threat family that targeted Spanish companies and institutions named Trojan.Exprez.B. More recently, we have encountered a new version of Trojan.Exprez.B that targets companies in The Netherlands and Denmark. It is still the same threat, but with new updates and new targets. The threat is also referred to as XDocCrypt and Dorifel.

As described in our previous blog, Trojan.Exprez.B was able to spread through removable and network drives and to infect executables and Office documents—so what are the August updates?

Previously, the...

Read more