Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Backdoor.Proxybox: Kernel File System Hooking
Joseph Bingham | 13 Aug 2012 20:48:53 GMT | 0 comments

A low level file system driver was bundled with the latest version of Backdoor.Proxybox named "rxsupply". The malicious driver was designed to deny access to the files used by the malware in order to improve persistence on compromised computers. The driver functionality and methods used for hooking kernel file system access are described below.
 

Figure 1. File system device stack with malicious file system filter
 

The malicious driver is loaded by Windows as a service at system startup. The entry point of the driver performs the following steps to act as a file system filter:

Sets up its own IRP filter functions.
 

...

Read more
Phishing in French Features Teenage Celebrities
Mathew Maniyara | 10 Aug 2012 18:50:42 GMT | 0 comments

Celebrities are frequently featured in phishing sites. Now, phishers have taken an interest in targeting French users by using teenage celebrities as bait. Some of the celebrities recently used as bait were the singers Jojo, Justin Bieber, and Zac Efron. The phishing sites were hosted on free Web hosting sites.

In the first example, the phishing site spoofed the login page of an email service of a popular information services brand. The phishing page contained an image of Jojo and the contents of the page were altered to promote the singer. The legitimate brand does not promote any celebrities, but phishers modified the contents of the page to entice users. Phishers believe that by using popular celebrities they can gain a larger audience, which increases their chances of harvesting user credentials. After the login credentials have been entered, users are redirected to the legitimate website.

...

Read more
Special Delivery: Attack Toolkits Bring Malware to Your Door
Ben Nahorney | 10 Aug 2012 18:41:06 GMT | 0 comments

Contributor: Sean Hittel

In the latest edition of the Threat Intelligence Report, we take a look at how Web attack toolkits are one of the largest risks to Internet security out there today. But unlike viruses, Trojans, and worms, they’re not a threat to an end-user in the traditional sense. Attack toolkits are more akin to a pizza delivery service. Only in this case the “pizza” is malicious code and the “customer” is the unsuspecting, and often unpatched, user.

Attack toolkits are a means of delivery for malicious code, and a very effective one at that. As we mentioned in volume 17 of the Internet Security Threat Report, Web attack toolkits made up almost two-thirds of all malicious activity on malicious websites in 2011. And that number continues to rise—there are currently three times as many Web attacks...

Read more
Smart Phones Are Phishers’ Phony Gift
Mathew Maniyara | 10 Aug 2012 16:56:45 GMT | 0 comments

Co-Author: Avdhoot Patil

Lucky draw prizes are commonly used as bait in phishing schemes. The fake lottery prizes observed last Christmas and the charity lottery are examples. In July 2012, phishers offered a smart phone as a lucky draw prize. The phishing site spoofed a telecommunications company based in France and was hosted on servers based in Fulshear, USA.

The phishing site was in French and the title translates to “Congratulations”. A message on the phishing site stated that a lucky draw takes place every day and that the user won the draw for the current day. In this case, the lucky draw prize mentioned was a smart phone. To attain the prize, the user was required to enter personal information, including their:

  • User name
  • Surname...
Read more
Complex Cyber Espionage Malware Discovered: Meet W32.Gauss
Symantec Security Response | 10 Aug 2012 00:34:35 GMT | 0 comments

Kaspersky Lab has discovered complex espionage malware named Gauss which steals a broad set of data from compromised computers and sends it to command-and-control servers.

Symantec currently detects this latest threat as W32.Gauss and preliminary reports suggest the highest concentrations of W32.Gauss appear in the Middle East.
 


Figure. W32.Gauss distribution with concentrations in the Middle East
 

Gauss is similar in design and function to W32.Flamer:

  • Modular structure
  • ...
Read more
Smile - You Are on Candid Web Camera!
Val S | 09 Aug 2012 21:58:48 GMT | 0 comments

Attention—in some form or capacity, we humans (sorry Googlebot if you are indexing this) seek and crave attention. As infants we crave attention from our parents, as children our friends, and as teens and adults, usually, from our peers, or those who have a common interest or understanding with us. Correspondingly, we all like to brag about our accomplishments to a certain extent. This is why social media has become so popular worldwide: it provides an audience for those who like to be heard.

In the old days (before the Internet became commonplace), when hackers compromised a computer, it was rather difficult to show off their feats to their friends. Sure they could talk endlessly about their triumphs, but how many times would it take for Mom, Dad, Brother, and Sister to understand, especially if they couldn’t tell the difference between a baud rate and a bald RAT?

So, what’s the point of doing things that only a few people can do if you don’t...

Read more
New Sample of Backdoor.Korplug is Signed with a Stolen Certificate
Ke Zhang | 09 Aug 2012 18:06:14 GMT | 0 comments

Symantec recently received a new sample of Backdoor.Korplug that signs itself with a stolen certificate. It also made use of legitimate software, but this time there is something different from what was revealed in our previous blog entry.

Figure 1. Loading sequence

From the data we have seen, the attacker removed the signature on the original executable and replaced it with their own.

...

Read more
New Android Malware Spotted on Third Party App Markets
Flora Liu | 09 Aug 2012 11:17:41 GMT | 0 comments

A new Android malware has been found on third party Android markets. Symantec has identified 18 apps that have been Trojanized with the threat and added detection as Android.Vdloader.
 


Figure 1. List of malicious apps identified
 

A 3D waterfall wallpaper may be displayed after the threat is installed.
 


Figure 2. 3D Waterfall wallpaper displayed after installation
 

The threat...

Read more
What Do Battery Saver, Reception Improver, and Japanese Actress Video Apps Have in Common?
Joji Hamada | 08 Aug 2012 22:53:50 GMT | 0 comments

Back in April, Android.Dougalek (a.k.a. "the Movie" malware) made national headlines in Japan when a large group of malicious apps was discovered that steal users' contacts data. Obviously scammers were listening to the news as well. The idea of stealing information using Android apps caught on like a brush fire and, since this discovery of the "Movie" malware, Symantec has come across a handful of copy-cat apps using the same payload. They include malware such as Android.Uranico, Android.Ackposts, and...

Read more
Merchant of Malice: Trojan.Shylock Injects Phone Numbers into Online Banking Websites
Alan Neville | 07 Aug 2012 21:25:37 GMT | 0 comments

Contributor: Peter Coogan

A strain of financial banking Trojans which runs browser-based man-in-the-middle (MITM) attacks has reared its ugly head once again. Trojan.Shylock is sophisticated malware which utilizes fake digital certificates and intercepts network traffic to inject code into banking websites. It tricks users into providing login and account details to cybercriminals. Recently, it has developed new tricks to steal user information.

Back in February, Trusteer published a blog stating that Trojan.Shylock had been observed injecting JavaScript which displayed a web-based chat screen to unsuspecting victims. The hackers controlled the chat screen and proceeded to query the victim for login credentials or other information required to gain access...

Read more