Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Social Scams - Part 1: Reusing Old Scams to Push Browser Extensions
Satnam Narang | 03 Apr 2013 19:35:53 GMT

Last year, we talked about scams and spam circulating on Facebook in our whitepaper. Social networking scammers often reuse common lures to trick users, such as offering free products or additional features that are not available on their network of choice. What these scammers do differently is find new ways to get more eyeballs to view their specific links. Whether it is likejacking or even convincing users to paste code (an external JavaScript file) into the browser address bar, these scammers are relentless.

Just recently, we published a blog about the Facebook Black scam that has been spreading. While that scam continued to spread, we found two old lures being reused,...

Read more
Japanese One-Click Fraud Campaign Comes to Google Play
Joji Hamada | 01 Apr 2013 13:40:49 GMT

One-click fraud refers to a scam that attempts to lure users interested in adult-related video to a site that attempts to trick them into registering for a paid service. For many years, it has been common to see this type of fraud on computers. As smartphone usage has increased, so has the number of these types of scams on smartphone devices. People typically come across these scam sites by searching for things that they are interested in or by clicking on links contained in spam messages. We also witnessed the advent of one-click fraud Android apps just over a year ago and those apps can now be found on Google Play.

dev7.png

...
Read more
Are the 2011 and 2013 South Korean Cyber Attacks Related?
Symantec Security Response | 29 Mar 2013 15:19:03 GMT

Overview
In the past four years there have been several major cyber attacks against South Korea. We have identified a particular back door (Backdoor.Prioxer) that surfaced during the 2011 attacks. A modified version of this back door was also discovered during the 2013 attacks. The back door is based on publicly available code, but there are some indications that the same individuals are responsible for the 2011 and 2013 versions, pointing towards a possible connection between the two attacks.

Background
The first documented major attack was in July, 2009. The attacks began on July 4, Independence Day in the United States, and consisted of a distributed denial-of-service (DDoS) attack against various Korean and US government and financial websites. A...

Read more
Bogus Asian Chat App Steals Login Information
Mathew Maniyara | 28 Mar 2013 15:07:04 GMT

Contributor: Avdhoot Patil

New methods to entice victims into handing over their personal information are always being devised by the people behind phishing websites and the use of fake social networking applications is always popular.

During the past month, phishing on social media sites consisted of 8.6 percent of all phishing activity. Among the phishing sites targeting social media, 0.8 percent consisted of fake applications offering features such as free cell phone airtime, adult videos, video chatting, adult chatting, etc.

In March 2013, phishers used a fake Asian chat application on a phishing site hosted on a free web hosting site.

fig1.jpg

Figure 1. Phishing page spoofing a social networking site

The phishing site spoofs a popular social networking site and is titled “Pakistani chat room - Pakistani girls...

Read more
New Ransomlock Variant Bypasses Automated Threat Analysis Systems’ Sandboxes
Hiroshi Shinotsuka | 27 Mar 2013 18:02:45 GMT

A lot of malware modify themselves to either hide from security software when they copy themselves to the compromised computer or to hinder engineers attempting to analyze the malware by executing the decrypted memory area and reading the decrypted memory value. This blog examines the behavior of Trojans that modify themselves by sharing memory.

The malware process follows the red line in Figure 1.
 

new ransomlock 1 edit.png

Figure 1. Code showing the threat process
 

Address ebx-4 indicates the top of the .data section. Initially, ebx-4 is a zero so if it is compared to 31h and 32h, it fails.

The code writes 31h to address ebx-4 and the Trojan executes itself by executing the WinExec function with its own file name. It then uses the ExitProcess function to...

Read more
Spammer's Magical Gifts this Easter
Anand Muralidharan | 25 Mar 2013 14:47:12 GMT

Easter Sunday is one of the most important festivals in the Christian calendar and it is observed anywhere between March 22 and April 25 each year; this year it falls on March 31. Spam messages related to Easter have begun flowing into the Symantec Probe Network. As expected, most of the spam samples are encouraging users to take advantage of products offers, personalized letters, e-cards, as well as clearance sales of cars and replica watches. Clicking the URL will automatically redirect the user to a website containing some bogus offer.

flowers.png

Figure 1. Spam product offer related to Easter

Spammers are also exploiting the event by sending casino spam email using the name "Easter bonnet". The Easter bonnet represents the tail-end of a tradition of wearing new clothes at an Easter festival.

The following spam sample provides...

Read more
Lime Pop: The Next Android.Enesoluty App
Joji Hamada | 25 Mar 2013 05:25:06 GMT

The gang that maintains Android.Enesoluty has been busy since last summer registering over one hundred domains used to host app sites and sending spam from these domains. It is now apparent that the group is also still busy developing malware variants. Several days ago, Symantec discovered a new variant of Android.Enesoluty.

As is the case with its predecessors, spam with a link to the app page is sent to potential victims.

spam.png

Figure 1. Spam used to lure potential victims to the app page

The new malicious app hosted on the app page is called Lime Pop, which (not so?) coincidently is almost identical to the name of a very popular game app. Like previous variants, the page has a link at the very bottom to an end user license agreement (EULA) that...

Read more
Different Wipers Identified in South Korean Cyber Attack
Symantec Security Response | 23 Mar 2013 01:36:26 GMT

Our analysis of Trojan.Jokra, the threat which recently caused major outages within the Korean Broadcasting and Banking sectors, has produced another wiper.

Security researchers the past few days have been discussing the wiper component found in this Trojan, specifically different wiper versions and the timings involved. We have seen the following strings used in four different variants:

  • PRINCIPES
  • HASTATI
  • PR!NCPES
  • HASTATI and PR!NCPES in combination
  • PRINCPES

Three wipers are packaged as a position-independent executable (PIE) and a fourth as a dynamic-link library (DLL) injection. There are also some differences in regard to the timing.
 

table1.jpg

Table. Trojan....

Read more
New Tidserv Variant Downloads 50 MB Chromium Embedded Framework
Kevin Savage | 22 Mar 2013 20:12:43 GMT

Tidserv (a.k.a. TDL) is a complex threat that employs rootkit functionality in an attempt to evade detection. The malware continues to be on the Symantec radar since its discovery back in 2008. The latest variant of Tidserv being distributed in the wild has began to employ the legitimate Chromium Embedded Framework (CEF). While this may not be the first time a malware has made use of a legitimate framework for nefarious purposes, this new Tidserv variant requires the download of the 50 MB framework to function correctly, which is an unusual thing for a threat to do.

The Backdoor.Tidserv variant uses a modular framework that allows it to download new modules and inject them into clean processes. Previous variants of Tidserv had used a serf332 module to perform network operations, such as link clicking and ad popups. It does...

Read more
Indian Websites Pursued by Phishers
Mathew Maniyara | 21 Mar 2013 18:06:11 GMT

Contributor: Ayub Khan

Symantec has been constantly monitoring phishing sites hosted on compromised Indian websites. In 2011, our study detailed these compromised sites and we did a similar study of phishing sites in 2012.

From August 2012 to November 2012, 0.11% of all phishing sites were hosted on compromised Indian websites. Phishers continue to target Indian sites across many disciplines to host their phishing sites. These Indian sites were classified in various categories. The most targeted sites were information technology (14.40%), education (11.90%), product sales and services (9.80%), industrial and manufacturing (7.30%), and tourism, travels and transport (5.80%). The figures for secure websites such as government, telecommunication, and ISP were low and at the bottom of the list. This offers evidence that phishers opt to target more vulnerable websites.
...

Read more