Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Lime Pop: The Next Android.Enesoluty App
Joji Hamada | 25 Mar 2013 05:25:06 GMT | 0 comments

The gang that maintains Android.Enesoluty has been busy since last summer registering over one hundred domains used to host app sites and sending spam from these domains. It is now apparent that the group is also still busy developing malware variants. Several days ago, Symantec discovered a new variant of Android.Enesoluty.

As is the case with its predecessors, spam with a link to the app page is sent to potential victims.

spam.png

Figure 1. Spam used to lure potential victims to the app page

The new malicious app hosted on the app page is called Lime Pop, which (not so?) coincidently is almost identical to the name of a very popular game app. Like previous variants, the page has a link at the very bottom to an end user license agreement (EULA) that...

Read more
Different Wipers Identified in South Korean Cyber Attack
Symantec Security Response | 23 Mar 2013 01:36:26 GMT | 0 comments

Our analysis of Trojan.Jokra, the threat which recently caused major outages within the Korean Broadcasting and Banking sectors, has produced another wiper.

Security researchers the past few days have been discussing the wiper component found in this Trojan, specifically different wiper versions and the timings involved. We have seen the following strings used in four different variants:

  • PRINCIPES
  • HASTATI
  • PR!NCPES
  • HASTATI and PR!NCPES in combination
  • PRINCPES

Three wipers are packaged as a position-independent executable (PIE) and a fourth as a dynamic-link library (DLL) injection. There are also some differences in regard to the timing.
 

table1.jpg

Table. Trojan....

Read more
New Tidserv Variant Downloads 50 MB Chromium Embedded Framework
Kevin Savage | 22 Mar 2013 20:12:43 GMT | 0 comments

Tidserv (a.k.a. TDL) is a complex threat that employs rootkit functionality in an attempt to evade detection. The malware continues to be on the Symantec radar since its discovery back in 2008. The latest variant of Tidserv being distributed in the wild has began to employ the legitimate Chromium Embedded Framework (CEF). While this may not be the first time a malware has made use of a legitimate framework for nefarious purposes, this new Tidserv variant requires the download of the 50 MB framework to function correctly, which is an unusual thing for a threat to do.

The Backdoor.Tidserv variant uses a modular framework that allows it to download new modules and inject them into clean processes. Previous variants of Tidserv had used a serf332 module to perform network operations, such as link clicking and ad popups. It does...

Read more
Indian Websites Pursued by Phishers
Mathew Maniyara | 21 Mar 2013 18:06:11 GMT | 0 comments

Contributor: Ayub Khan

Symantec has been constantly monitoring phishing sites hosted on compromised Indian websites. In 2011, our study detailed these compromised sites and we did a similar study of phishing sites in 2012.

From August 2012 to November 2012, 0.11% of all phishing sites were hosted on compromised Indian websites. Phishers continue to target Indian sites across many disciplines to host their phishing sites. These Indian sites were classified in various categories. The most targeted sites were information technology (14.40%), education (11.90%), product sales and services (9.80%), industrial and manufacturing (7.30%), and tourism, travels and transport (5.80%). The figures for secure websites such as government, telecommunication, and ISP were low and at the bottom of the list. This offers evidence that phishers opt to target more vulnerable websites.
...

Read more
Remote Linux Wiper Found in South Korean Cyber Attack
Symantec Security Response | 20 Mar 2013 21:37:57 GMT | 0 comments

Earlier today we published our initial findings about the attacks on South Korean banks and local broadcasting organizations. We have now discovered an additional component used in this attack that is capable of wiping Linux machines.
 


Figure 1. Bash wiper script targeting remote Linux machines
 

The dropper for Trojan.Jokra contains a module for wiping remote Linux machines. We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers...

Read more
TeamSpy: Backdoor to the Viewer
Symantec Security Response | 20 Mar 2013 18:22:54 GMT | 0 comments

Today, the Laboratory of Cryptography and System Security (Crysys) at Budapest University of Technology and Economics, released their research ­around a targeted attack they have identified, named TeamSpy. Symantec has had protections in place for this threat since 2011, and we currently detect this threat as Backdoor.Teambot. We also have the following IPS protections in place:

  • System Infected: Backdoor.Teambot Activity
  • System Infected: Backdoor.Teambot Activity2

This attack abuses the popular TeamViewer remote administration tool to control the malware running on victim machines. The Trojan packages the legitimate application along with a malicious DLL and uses an encrypted configuration file containing parameters to...

Read more
South Korean Banks and Broadcasting Organizations Suffer Major Damage from Cyber Attack
Symantec Security Response | 20 Mar 2013 15:56:51 GMT | 0 comments

It has been reported in the media that several South Korean banks and local broadcasting organizations have been impacted by a cyber attack.

The attack included the defacement of a Korean ISP/telecoms provider and also the crippling of servers belonging to a number of organizations.

The defacement displays an elaborate animated Web page with sound effects, showing three skulls and included a message by the claimed attackers calling themselves the “Whois” team.

The attack was first noticed when a number of websites began to experience problems. Customers of banks could not access their online accounts and reports of other sites being down began to surface. While specific details are not known at this time, it has been reported that a number of sites affected had their hard drives wiped leaving the affected computers in a crippled state.

...

Read more
Blackhole Exploit Kit Takes Advantage of Cypriot Financial Crisis
Nick Johnston | 20 Mar 2013 13:22:44 GMT | 0 comments

In recent days, the European Union (EU) financial crisis has taken a dramatic turn. Cyprus, one of the EU's smallest member states by population, announced plans to impose a one-off levy of up to 10 percent on ordinary bank deposits. Banks across the island state have been closed while the unprecedented measures are debated in the country's parliament. Meanwhile, anxious bank account holders—ordinary people, not bond holders or investors in Cypriot banks—await news of what will happen to their savings.

The notorious Blackhole Exploit Kit, previously featured in several posts on this blog, has started exploiting the public concern about this situation by sending out emails claiming to be news stories related to the unfolding situation.

...

Read more
The New Black: Facebook Black Scam Spreads on Facebook
Satnam Narang | 19 Mar 2013 22:38:57 GMT | 0 comments

Yesterday, Facebook users may have noticed an influx of their friends posting about something called Facebook Black.
 

Figure 1. Facebook photo plugging “Faecbook” Black (notice the typo in this image)
 

Similar to previous scams, users are tagged in a picture that contains a link to an external website. In this case, the link is found within the comments instead of the description field (Figure 1).
 

Figure 2. Iframe is used to redirect the user to the landing...

Read more
Pope Themed Spam Attacks Lead to Malware
Samir_Patil | 19 Mar 2013 09:29:04 GMT | 0 comments

Contributor: Saurabh Farkade

The Vatican City has been in the news a lot in the past few weeks due to Benedict XVI’s resignation and the election of Pope Francis. Spammers have picked up on this opportunity for spreading malware.

Symantec Security Response has observed attackers distributing spam which leads users to a site hosting the Blackhole Exploit Kit. The good news is, Symantec customers are protected and this threat is detected as Blackhole Toolkit Website.

The spam email alleges to be from a well-known news channel. The following subject lines are used in this attack:

  • Subject: Opinion: Can New-Pope Benedict be Sued for the Sex Abuse Cases? - [REMOVED]
  • Subject: Opinion: New Pope, Vatican officials sued over alleged sexual abuse! - [REMOVED]
  • Subject: Opinion: New...
Read more