Video Screencast Help
Security Response
Showing posts in English
Symantec Security Response | 13 Nov 2014 05:49:55 GMT

JustSystems has issued an update to its Ichitaro product line (Japanese office suite software), plugging a zero-day vulnerability. The Multiple Ichitaro Products Unspecified Remote Code Execution Vulnerability (CVE-2014-7247) is being actively exploited in the wild to specifically target Japanese organizations.

The exploit is sent to the targeted organizations through emails with a malicious Ichitaro document file attached, which Symantec products detect as Exp.CVE-2014-7247. Payloads from the exploit may include Backdoor.Emdivi, Backdoor.Korplug, and...

PraveenSingh | 11 Nov 2014 23:14:08 GMT

ms-tuesday-patch-key-concept-white-light 2_0.png

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing fourteen bulletins covering a total of 33 vulnerabilities. Fourteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required...
Liam O Murchu | 11 Nov 2014 08:00:14 GMT

Today, Kim Zetter released her book, “Countdown to Zero Day”. The book recounts the story of Stuxnet’s attempt to sabotage Iran’s uranium enrichment program. The work that Eric Chien, Nicolas Falliere, and I carried out is featured in the book. During the process of writing the book, Kim interviewed us on many occasions and we were lucky enough to be able to review an advanced copy.

Figure 1. Kim Zetter’s new book, “Countdown to Zero Day”

In chapter 17 of the book, “The Mystery of the Centrifuges”, Kim talks about how Stuxnet infections began in Iran, identifying several companies where she believes the infections originated.

“To get their weapon into the plant, the attackers launched an offensive against four companies. All of the companies were involved in industrial control processing of some sort, either manufacturing products or...

Lionel Payet | 07 Nov 2014 18:40:02 GMT

Ransomlock 1.jpg

What’s true for businesses is also true for scams and malware−to remain successful, they must evolve and adapt. Sometimes, ideas or methods are borrowed from one business model and used in another to create an amalgamation. After all, some of the best creations have come about this way; out of ice-cream and yogurt was born delicious frogurt, and any reputable hunter of the undead will tell you the endless benefits of owning a sledge saw. Cybercriminals responsible for malware and various scams also want their “businesses” to remain successful and every now and again, they too borrow ideas from each other. We recently came across an example of this when we discovered a technical support phone scam that uses a new ransomware...

Symantec Security Response | 06 Nov 2014 21:01:30 GMT


Symantec Security Response is currently investigating OSX.Wirelurker, a threat that targets Apple computers running Mac OS X and Apple devices running iOS. WireLurker can be used to steal information from compromised iOS devices.

Figure. Maiyadi App Store

WireLurker was discovered on the Maiyadi App Store, a third-party app store in China. The threat is Trojanized into pirated Mac OS X applications. Once a pirated application has been downloaded onto a computer running OS X, WireLurker...

Ankit Singh | 04 Nov 2014 11:02:49 GMT


On October 27, while tracking exploit kits (EKs) and infected domains, Symantec discovered that the popular music news and reviews website was redirecting visitors to the Rig exploit kit. This exploit kit was discovered earlier this year and is known to be the successor of another once popular EK, Redkit. The Rig EK takes advantage of vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight and was also one of the EKs associated with the compromise back in June.

At the time of writing, the website was no longer compromised....

Symantec Security Response | 01 Nov 2014 00:11:56 GMT

Symantec Security Response has seen an increase in the number of reports related to a threat known as Trojan.Poweliks. Poweliks is unique when compared to traditional malware because it does not exist on a compromised computer as a file. Instead, it is located in a registry subkey that is found within the computer’s registry.

Poweliks 1 edit.png
Figure. Trojan.Poweliks registry subkey

While Trojan.Poweliks is unique in how it resides on a computer, it can arrive on a computer through more common methods, such as malicious spam emails and exploit kits. Once on the compromised computer, Trojan.Poweliks can then receive commands from the remote attacker.

Poweliks has reportedly been delivered through malicious spam emails that claim...

Sean Butler | 29 Oct 2014 06:04:06 GMT


Symantec has recently seen a spam campaign involving fake wire transfer request emails. While this technique is not new, and has had some coverage in the press this year, we have seen an increase in this type of spam recently.

The purpose of this type of email is very simple—to get the recipient to process a payment for non-existent goods or services by way of a wire or credit transfer. The scammers send an email to a target recipient, usually pretending to be from the CEO or a senior executive of an organization. The scammers will usually send the fake wire transfer emails to employees working in the finance department of a company, as those employees will have the ability to action payment requests.

Another tactic the scammers use...

Symantec Security Response | 22 Oct 2014 17:15:56 GMT

At least two groups of attackers are continuing to take advantage of the recently discovered Sandworm vulnerability in Windows by using an exploit that bypasses the patch. The vulnerability came to light following its exploit by a group known as Sandworm, but there is now some evidence to suggest that at least one of these other groups was aware of its existence before its disclosure on October 14.

As with Sandworm, these attacks once again used infected PowerPoint documents, sent as email attachments, as the means of infection. These malicious attachments are detected by Symantec as Trojan.Mdropper. The attacks are being used to deliver at least two different payloads to victims, Trojan.Taidoor and ...

Candid Wueest | 21 Oct 2014 12:07:09 GMT

Download a copy of our whitepaper: The continued rise of DDoS attacks.

Distributed denial-of-service (DDoS) attacks are not a new concept, but they have proven to be effective. In the last few years they have grown in intensity as well as in number, whereas the duration of an attack is often down to just a few hours. Such attacks are simple to conduct for the attackers, but they can be devastating for the targeted companies. Amplification attacks especially are very popular at the moment as they allow relatively small botnets to take out large targets. For such an attack, spoofed traffic is sent to a third-...