Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Sean Butler | 29 Oct 2014 06:04:06 GMT


Symantec has recently seen a spam campaign involving fake wire transfer request emails. While this technique is not new, and has had some coverage in the press this year, we have seen an increase in this type of spam recently.

The purpose of this type of email is very simple—to get the recipient to process a payment for non-existent goods or services by way of a wire or credit transfer. The scammers send an email to a target recipient, usually pretending to be from the CEO or a senior executive of an organization. The scammers will usually send the fake wire transfer emails to employees working in the finance department of a company, as those employees will have the ability to action payment requests.

Another tactic the scammers use...

Symantec Security Response | 22 Oct 2014 17:15:56 GMT

At least two groups of attackers are continuing to take advantage of the recently discovered Sandworm vulnerability in Windows by using an exploit that bypasses the patch. The vulnerability came to light following its exploit by a group known as Sandworm, but there is now some evidence to suggest that at least one of these other groups was aware of its existence before its disclosure on October 14.

As with Sandworm, these attacks once again used infected PowerPoint documents, sent as email attachments, as the means of infection. These malicious attachments are detected by Symantec as Trojan.Mdropper. The attacks are being used to deliver at least two different payloads to victims, Trojan.Taidoor and ...

Candid Wueest | 21 Oct 2014 12:07:09 GMT

Download a copy of our whitepaper: The continued rise of DDoS attacks.

Distributed denial-of-service (DDoS) attacks are not a new concept, but they have proven to be effective. In the last few years they have grown in intensity as well as in number, whereas the duration of an attack is often down to just a few hours. Such attacks are simple to conduct for the attackers, but they can be devastating for the targeted companies. Amplification attacks especially are very popular at the moment as they allow relatively small botnets to take out large targets. For such an attack, spoofed traffic is sent to a third-...

Bhaskar Krishna | 20 Oct 2014 16:45:39 GMT

Contributor: Joseph Graziano

PDF invoices sent over email have become increasingly common in today’s business world. However, that doesn’t mean that there are no complications with the file format. Addressing these invoices without requiring verification from the recipient can lead to a compromised computer with the user’s confidential data in jeopardy.

Over the past week, Symantec has observed a spam campaign involving suspicious emails that masquerade as unpaid invoices. However, these suspicious emails come with a nasty surprise attached in the form of a malicious .pdf file.

Figure 1. Malicious .pdf file attached to suspicious email

While these invoices may appear to be legitimate because the sender’s email address may be associated with a major company, the emails contain spelling errors in the subject line and the body of the email...

Nick Johnston | 17 Oct 2014 20:01:12 GMT

In March 2014, we blogged about how Google Docs and Google Drive users were being targeted by a sophisticated phishing scam. In this scam, messages included links to a fake Google Docs login page hosted on Google itself.

We continue to see millions of phishing messages every day, and recently we saw a similar scam targeting Dropbox users. The scam uses an email (with the subject "important") claiming that the recipient has been sent a document that is too big to be sent by email, or cannot be sent by email for security reasons. Instead, the email claims, the document can be viewed by clicking on the link included in the message. However, the link opens a fake Dropbox login page, hosted on Dropbox itself.

Dropbox 1.png

Figure 1. Fake Dropbox login page

Symantec Security Response | 16 Oct 2014 19:41:59 GMT

Poodle vulnerability.png

A newly discovered vulnerability in an old version of the SSL protocol represents a threat to a high number of Web servers because they contain legacy support for the outdated technology. The SSL Man In The Middle Information Disclosure Vulnerability (CVE-2014-3566) affects version 3.0 of SSL, which was introduced in 1996, and has since been superseded by several newer versions of its successor protocol, TLS. However, the vulnerability may still be exploited because SSL 3.0 continues to be supported by nearly every Web browser and a large number of Web servers.

SSL and TLS are both secure protocols for Internet communication and work by encrypting traffic between two computers. Most TLS clients will downgrade the protocol they use to SSL 3.0 if they have to work with legacy servers. The...

PraveenSingh | 14 Oct 2014 20:37:12 GMT

ms-tuesday-patch-key-concept-white-light 2.png

Hello, welcome to this month's blog on the Microsoft patch release. This month, the vendor is releasing eight bulletins covering a total of 24 vulnerabilities. Thirteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required....
Symantec Security Response | 14 Oct 2014 19:50:38 GMT

Symantec is investigating reports that a zero-day vulnerability affecting Microsoft Windows TrueType Font (TTF) parsing is being exploited in a limited number of attacks. The Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability (CVE 2014-4148) is reportedly being exploited to gain remote access into an international organization.

The attack consisted of a document with a malicious TTF, which when viewed on a vulnerable computer would result in the execution of additional malware. The payload was a somewhat sophisticated remote access Trojan (RAT) that would run from memory. Symantec regards this vulnerability as critical since it affects all supported versions of the Windows OS and allows an attacker to execute code remotely on the compromised computer.

On October 14, 2014, Microsoft issued a security bulletin which provides a patch for the vulnerability. We recommend...

Symantec Security Response | 14 Oct 2014 16:00:10 GMT

A coordinated operation involving Symantec and a number of other security companies has delivered a blow against Backdoor.Hikit and a number of other malware tools used by the Chinese-based cyberespionage group Hidden Lynx. Dubbed Operation SMN, this cross-industry collaboration has seen major security vendors share intelligence and resources, resulting in the creation of comprehensive, multi-vendor protection which may significantly blunt the effectiveness of this malware. The organizations involved in this operation include Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Symantec, ThreatConnect, Tenable, ThreatTrack Security, Novetta, and Volexity.

The Hikit back door has been used in cyberespionage attacks against a range of targets in the US, Japan, Taiwan,...

Symantec Security Response | 14 Oct 2014 15:38:06 GMT


A critical new vulnerability in the Windows operating system is reportedly being exploited in a limited number of attacks against targets in the US and Europe. The Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114) allows attackers to embed Object Linking and Embedding (OLE) files from external locations. The vulnerability can be exploited to download and install malware on to the target’s computer. The vulnerability appears to have been used by a cyberespionage group known as Sandworm to deliver Backdoor.Lancafdo.A (also known as the Black Energy back door) to targeted organizations.

The vulnerability affects all versions of Windows...