Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response
Showing posts in English
Jeet Morparia | 15 Oct 2013 00:26:06 GMT

Backdoor.Egobot is a Trojan used in campaigns targeting Korean interests. The execution of the campaigns is straightforward and effective. Symantec data indicates the campaigns have been in operation since 2009. Egobot has continuously evolved by adding newer functionalities. The attackers use the four golden rules of a targeted campaign:

  1. Identify targets
  2. Exploit targets (in order to drop the payload)
  3. Perform malicious activity (in this case, stealing information)
  4. Remain undetected

We have also uncovered a parallel campaign that has been in operation as early as 2006, which we will cover in another blog.
 

Egobot targets

Egobot is...

Anand Muralidharan | 14 Oct 2013 10:33:39 GMT

Diwali, also known as the festival of lights, is a much loved five-day long Hindu festival. The festival is enjoyed by many people and lifts the mood and spirit of everyone taking part in the celebrations. This year, the festival of Lights is being celebrated in November and as expected Diwali themed scam emails have started to flow into the Symantec Probe Network.

One scam email we have identified, appears to be from the Reserve Bank of India and claims that the email recipient has been awarded a prize of 4 crore and 70 lac Indian rupees, which equates to 10,700,000 Indian rupees or approximately US$175,000, in a Diwali celebration promotion. To claim the prize, the recipient is asked to send their personal information to a given email address.

The following subject line has...

Daniel Regalado | 11 Oct 2013 23:05:17 GMT

Contributor: Val S

Mexican ATMs 1.jpg

It’s well-known that organized crime in Mexico is always finding new ways to steal money from people.  Automatic teller machines (ATMs) are one of the common targets in this effort, but the challenge there is actually getting the money out of the machine. The three most common ways to accomplish this are:

  1. Kidnapping: Criminals kidnap a person for as long as it takes to withdraw all the money from their account. The time depends on the money available in the account since normally there is a limit on the amount allowed to be dispensed per day.
  2. Physically stealing the ATM: Criminals remove the ATM and take it to a location where they can go to work accessing the cash inside. In this scenario, the loss of cash is only one consequence as the criminals...
Symantec Security Response | 09 Oct 2013 14:08:36 GMT
In Microsoft’s Patch Tuesday for October 2013, the company released MS13-080 to address two critical vulnerabilities that have been actively exploited in limited targeted attacks. The first critical vulnerability in Internet Explorer, the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893), was discussed in an earlier Symantec blog.
 
The second critical vulnerability for Internet Explorer is the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3897). In a blog post from...
Avdhoot Patil | 09 Oct 2013 12:25:44 GMT
Contributor: Daniel Regalado Arias
 
Phishers frequently introduce bogus applications to add new flavor into their phishing baits. Let’s have a look at a new fake app that phishers are leveraging. In this particular scam, phishers were trying to steal login credentials, but their means of data theft wasn’t with the phishing bait alone. Their ploy also used malware for harvesting users’ confidential information. The phishing site spoofed the login page of Facebook and was hosted on a free web hosting site.
 
figure1_0.png
Figure 1: The phishing site that spoofed the appearance of Facebook’s login page
 
The phishing site boasted that the application would enable users to view a list of people who visited their profile page. The site offered two options...
Dinesh Theerthagiri | 08 Oct 2013 20:00:32 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing eight bulletins covering a total of 26 vulnerabilities. Sixteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the October releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Oct

The following is a breakdown of the...

Ashish Diwakar | 03 Oct 2013 14:11:54 GMT

Spammers are now leveraging news around the Kenya terror attack by targeting users through an email message that claims to contain news on the attack but in fact contains malware. The spam email includes a malicious URL in the body of the message that redirects users to a compromised Web page that downloads W32.Extrat.

When the malware is executed, it may create the following file:

  • %Windir%\installdir\server.exe

This allows the attacker to steal passwords and gain access to sensitive files and information belonging to the user.

Kenya.png

Figure. Screenshot of spam email asking user to download .exe file

The email displays a message to “Click HERE to view & watch” videos and images of the terror attack at the...

Anand Muralidharan | 02 Oct 2013 10:42:56 GMT

The latest news making headlines around the world is about the partial shutdown of the US government, which failed to agree on a new budget. Ever quick to take advantage of a situation, cybercriminals have begun to send various spam messages related to the government shutdown. These spam messages have started flowing into the Symantec Probe Network. We have observed that most of the spam samples encourage users to take advantage of clearance sales on cars and trucks. Clicking the included URL will automatically redirect the user to a website containing a bogus offer.

US_Gov_Spam.png

Figure 1. US government shutdown themed spam email

In the messages Symantec has observed, the spammers are using a random email header, which may be an attempt to evade antispam filters. Some of the headers used in this latest spam campaign can be easily recognized...

khaley | 01 Oct 2013 22:10:00 GMT

The P in PC stands for personal. We don’t think of that much anymore. It was a big deal in 1981 when IBM introduced the PC and it sat on your desk or underneath it. You didn’t share it with anyone. It was personally yours.

Kinda.

Frankly, I’m not sure we ever had a “personal” relationship with our PCs, but we really have a personal relationship with our cell phones. In fact, according to the 2013 Norton Report, 48 percent of people sleep within arm’s reach of their phones. Twenty-five percent check their phone during a dinner with friends. And 49 percent of people get upset if they leave their mobile phones at home when they go out.

It’s hard to see anyone making sure they slept within arm’s reach of their PC, but mobile phone users treat their devices like a loved one. Maybe that’s why...

Anand Muralidharan | 30 Sep 2013 14:00:20 GMT
Symantec has observed a new spam tactic targeting YouTube using .avi and .mp3 extensions in URLs by placing a random YouTube link in the email content. This spam threat is also targeting the pharmaceutical industry, as we have previously observed in this blog: Pharma Spammers Brandjack YouTube.
 
In this new spam threat, users will be redirected to a fake pharmacy website when they click on the links. The following URLs were seen in spam samples using .avi and .mp3 extensions examined by Symantec:
 
http://www.[REMOVED].com/Fox.avi
http://www.[REMOVED].com/Yamamoto.avi
http://www.[REMOVED].vn/Larue.avi 
http://www.[REMOVED].com/McAlear.avi
http://www.[REMOVED].ru/87342.mp3
http://www.[REMOVED].ru/327182.mp3
http://www.[REMOVED].fr/472738.mp3
http://www.[REMOVED...