Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response
Showing posts in English
Candid Wueest | 12 Aug 2014 15:58:36 GMT

VMserver_concept.png

In the security field, virtual machines (VM) have been used for many years and are popular among researchers because malware can be executed and analyzed on them without having to reinstall production systems every time. As we previously discussed, these tests can be done manually or on automated systems, with each method providing different benefits or drawbacks. Every artifact is recorded and a conclusion is made to block or allow the application. For similar reasons, sandbox technology and virtualization technology have become a common component in many network security solutions. The aim is to find previously unknown malware by executing the samples and analyzing their behavior. 

However, there is an even bigger...

Symantec Security Response | 07 Aug 2014 14:01:54 GMT

3587091_-_fig_1.png

A cyberespionage campaign involving malware known as Wipbot and Turla has systematically targeted the governments and embassies of a number of former Eastern Bloc countries. Trojan.Wipbot (known by other vendors as Tavdig) is a back door used to facilitate reconnaissance operations before the attackers shift to long term monitoring operations using Trojan.Turla (which is known by other vendors as Uroboros, Snake, and Carbon). It appears that this combination of malware has been used for classic espionage-type operations for at least four years. Because of the targets chosen and the advanced nature of the malware used, Symantec believes that a state-sponsored group was behind these...

Laura O'Brien | 06 Aug 2014 14:27:42 GMT

STOLEN_PASSWORDS_HEADER.jpg

A recent report claimed that a Russian cybercrime group stole 1.2 billion user names and passwords from 420,000 websites. The breaches reportedly affect a huge variety of entities ranging from Fortune 500 firms to very small sites. The affected sites weren’t identified, as many of them are still vulnerable to attack.

The group allegedly managed to obtain these details by using botnets to probe websites for vulnerabilities. The report states that when one of the botnet’s infected computers visits a website, the attackers force the computer to carry out an SQL injection attack on the site to see if it contains vulnerabilities. If the site is...

Symantec Security Response | 06 Aug 2014 12:10:36 GMT

Since its emergence in 2007, Trojan.Asprox has remained one of the most prolific botnets on the threat landscape. During this time it has evolved into a formidable threat encompassing new functionalities which have been well documented within the information security industry. While always maintaining a presence on the threat landscape, since late last year the Asprox botnet has resurged and has been steadily increasing its numbers as a result of ongoing self-propagating spam campaigns.

Now Symantec has observed Trojan.Asprox.B, adding yet another new module to its arsenal in the form of a URL viewer that is used to push advertising pages to a victim’s browser. To date, we have observed Asprox push casino, loan, mobile spyware, and pornographic adverts to unwilling victims’ browsers. In...

Avdhoot Patil | 01 Aug 2014 08:32:58 GMT

Contributor: Virendra Phadtare

Phishers are continuing to focus on social networks as a platform for their phishing activities. Fake social media applications in phishing sites are not uncommon. In the past, we have seen a bogus Asian chat app and a fake voting campaign in phishing attacks. These fake apps are typically developed for the purpose of harvesting personal information. 

Symantec recently observed a phishing site with a fake gaming application that claimed to offer unlimited chips for an Indian poker gaming application called Teenpatti. Phishers promoted a fake version of the Teenpatti game called “Teenpatti Hack”. The phishing site was hosted on a free Web hosting service.

...

Kazumasa Itabashi | 31 Jul 2014 11:37:17 GMT

case_doll_concept.png

Symantec Security Response has observed a new variant of ransomcrypt malware which is easy to update and uses open source components to encrypt files. The variant, detected as Trojan.Ransomcrypt.L, uses a legitimate open source implementation of the OpenPGP standard to encrypt files on the victim’s computer. The threat then displays a ransom notice in Russian, asking the user to pay in order to unlock the files.

This isn’t the first time we’ve seen malware authors using open source encryption components in their ransomware threats, but it does show a continuing trend of attackers making ransomware easier to create and maintain. While ransomware can typically be complex, the malware author for Trojan.Ransomcrypt.L made the threat easy to develop and maintain.

...
Symantec Security Response | 30 Jul 2014 14:27:53 GMT

qs-header-image2_650px.png

Each day, millions of people worldwide are actively recording every aspect of their lives, thoughts, experiences, and achievements in an activity known as self-tracking (aka quantified self or life logging). People who engage in self-tracking do so for various reasons. Given the amount of personal data being generated, transmitted, and stored at various locations, privacy and security are important considerations for users of these devices and applications. Symantec has found security risks in a large number of self-tracking devices and applications. One of the most significant findings was that all of the wearable activity-tracking devices examined, including those from leading brands, are vulnerable to location tracking. 

Our researchers built a number of scanning devices using Raspberry Pi minicomputers and, by taking them out to athletic...

Symantec Security Response | 28 Jul 2014 15:21:02 GMT

Symantec Security Response has found that a new variant of Trojan.Snifula (Neverquest) is targeting more than 30 Japanese financial institutions, including 12 regional banks. The threat first appeared in 2006 and is used to steal victims’ financial information from specific banking sites through man-in-the-browser (MITB) techniques. Snifula’s new targets show that the malware is broadening its focus to smaller financial institutions, meaning that consumers should be wary of the threat regardless of which bank they use. 

We previously predicted that Snifula would be updated to target additional financial institutions and now it has happened. While monitoring Snifula’s activities, we came across a configuration file for a Snifula variant that lists 20 credit card sites and 17 online...

Symantec Security Response | 25 Jul 2014 13:41:11 GMT

backdoor_concept.png

Symantec Security Response recently discovered a peculiar back door program that targeted a Korean organization. The malware, detected by Symantec as Backdoor.Baccamun, is dropped by an RTF document written in Korean that is disguised as an internal invitation to the organization’s employees for a free car inspection. The document file exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) and drops the Backdoor.Baccamun upon successful exploit of the vulnerability.

The back door is quite compact (19 kilobytes) and is smaller than average back door programs. It can perform the following actions:

  • List running processes
  • Terminate...
Binny Kuriakose | 23 Jul 2014 23:28:53 GMT

Contributor: Mayur Deshpande

Phishing emails masquerading as banking communications are observed in huge quantities every single day. Spammers will often exploit global news and major world events to carry out phishing attacks. Phishing emails often use international and regional news to disguise their phishing content and force the recipients to give up sensitive personal data.

Recently, Canada enacted an anti-spam law which mandates that all companies obtain explicit consent from customers for email correspondence. Spammers exploited this news to send phishing emails pretending to request consent for emails. This phishing attempt shown below goes a step further and fabricates fake news about a similar law in the United States.

Fake US Antispam Law 1 edit.png

Figure. Phishing sample...