Video Screencast Help
Security Response
Showing posts in English
Roberto Sponchioni | 11 Sep 2013 10:08:58 GMT

Contributor: Lionel Payet

Back in June we discovered a malicious Android application that was holding user’s Android phones for ransom. This discovery confirmed earlier predictions that ransomware would evolve and arise on new platforms, such as mobile devices.

 

As part of our pre-emptive SMS spam domain identification, we have detected a recently-registered domain that is currently serving a new Android FakeAV app using ransomware social engineering.  Different hints led us to believe that this application is linked to, or coming from, the same authors behind Android.Fakedefender, which we blogged about back in June. Despite it using a new design and a different ransom payment method, this new variant still contains the older images in its package file....

Dinesh Theerthagiri | 10 Sep 2013 19:59:32 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing thirteen bulletins covering a total of 47 vulnerabilities. Thirteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the September releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Sep

The following is a breakdown of...

Joji Hamada | 09 Sep 2013 23:57:03 GMT

For many of us around the globe, August may be a month to take a bit of a break from work and go on a summer holiday. In contrast, August appears to the busiest month of the year for the scammers developing Japanese one-click fraud apps. They have increased productivity to publish close to 1,000 fraudulent apps on Google Play during August. As a result, they have succeeded in tricking Android device owners into downloading the apps at least 8,500 times, according to statistic shown on the Google Play app pages. The actual figure is likely much higher and probably exceeds well over 10,000 downloads.
 

Figure1_0.png

Figure 1. Daily publication count for August
 

The number of one-click fraud apps...

Christopher Mendes | 09 Sep 2013 17:22:41 GMT

Contributor: Binny Kuriakose

Spammers continue to leverage the crisis in Syria for their personal gain. Besides taking advantage of a scam message that claimed to be from The Red Cross, spammers are now taking advantage of emails about the news in Syria. They have snuck in a few malicious messages containing random URLs that entice users to go to a compromised malicious website that hosts obfuscated JavaScript codes that downloads the Trojan, Downloader.Ponik.

When the Trojan is executed, it may create the following files:

  • %TEMP%\[RANDOM CHARACTERS FILE NAME].bat
  • %UserProfile%\Local Settings\Application Data\pny\pnd.exe

The files then inject a malicious executable payload, which may allow the attacker to steal passwords and sensitive...

Symantec Security Response | 06 Sep 2013 22:12:35 GMT

Targeted attacks are a daily occurrence and attackers are fast to employ the latest news stories in their social engineering themes. In a recent targeted attack, delivering a payload of Backdoor.Korplug and caught by our Symantec.cloud services, we observed an attacker taking advantage of a recently published article by the Washington Post in relation to chemical attacks in Syria. The attacker took the full text of the article and used it in their own malicious document in an effort to dupe victims into believing the document was legitimate.
 

...

Val S | 04 Sep 2013 19:19:19 GMT

Contributor: Roberto Sponchioni

Symantec Security Response has recently come across a new remote access tool (RAT) called Alusinus, which we detect as Backdoor.Alusins. The program was intended for the Spanish speaking underground and the builder itself is rather straightforward with several standard functions, although one function is interesting and is worth noting. The builder allows the RAT to inject itself into a clean process, such as calc.exe, svchost.exe, or notepad.exe in order to improve its chances of evading detection.
 

Spanish RAT 1.png

Figure 1. Backdoor.Alusins control panel – user name/computer name, AV and firewall information are reported back to attacker
 

...
Satnam Narang | 03 Sep 2013 17:35:39 GMT

Ahead of this week's G20 summit in Saint Petersburg, Russia, attackers are leveraging the meeting's visibility in targeted attacks.

One particular campaign we have identified is targeting multiple groups. They include financial institutions, financial services companies, government organizations, and organizations involved in economic development.
 

image1_11.png

Figure 1. Email purporting to be from G20 Representative
 

The email purports to be sent on behalf of a G20 representative. The email continues:
 

Many thanks for circulating these updated building blocks. Please find the UK comments on these attached. I look forward to seeing you in St Petersburg soon....

Joji Hamada | 30 Aug 2013 07:56:51 GMT

Shortcut files have recently become a common vehicle used in targeted attacks to deliver malware into organizations. Symantec has observed a variety of ways shortcut files are being used to penetrate networks, such as the one described in a previous blog. We recently came across another example of how this file type is being used in an attempt to evade detection by security products and trick email recipients into executing attachments. In this variation, an email with disassembled malware attached is sent to a recipient along with a shortcut file used to reassemble the malware.

The email used for this attack included an archive file as an attachment containing a shortcut file with an icon of a folder along with a real folder containing a Microsoft document file and two hidden files with .dat file extensions.

...

Nick Johnston | 29 Aug 2013 08:24:31 GMT

As the international community coordinates its response to the deepening crisis in Syria, scammers have once again demonstrated their skill at using current, high-profile events to their advantage. We have previously covered these methods in regards to Egypt, Libya, and the Rugby World Cup.

We recently identified a scam message that claimed to be from The Red Cross. The message explains how the conflict is creating a humanitarian crisis and urges people to support The Red Cross and The Red Crescent.

SyriaScam.png

Curiously, the email includes a link to the actual British Red Cross...

Symantec Security Response | 28 Aug 2013 07:00:30 GMT

In April 2013, the administrative assistant to a vice president at a French-based multinational company received an email referencing an invoice hosted on a popular file sharing service. A few minutes later, the same administrative assistant received a phone call from another vice president within the company, instructing her to examine and process the invoice. The vice president spoke with authority and used perfect French. However, the invoice was a fake and the vice president who called her was an attacker.

The supposed invoice was actually a remote access Trojan (RAT) that was configured to contact a command-and-control (C&C) server located in Ukraine. Using the RAT, the attacker immediately took control of the administrative assistant’s infected computer. They logged keystrokes, viewed the desktop, and browsed and exfiltrated files. 

These tactics, using an email followed up by a phone call using perfect French, are highly unusual and are a sign of...