Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
New Adobe PDF Zero-day Unleashes Trojan.Swaylib
Symantec Security Response | 14 Feb 2013 22:16:55 GMT | 0 comments

In a previous blog, Symantec reported on a new Adobe zero-day vulnerability (CVE-2013-0640, CVE-2013-0641) affecting Adobe Reader and Acrobat XI (11.0.1) and earlier versions, that was being actively exploited in the wild. Adobe has yet to release a patch for this zero-day, but in an advisory they have provided a means of mitigation against the attack. 

The initial report on this zero-day being actively used in the wild came from FireEye. They reported that several files were being...

Read more
Trojan.Ransomgerpo Criminal Arrested
Symantec Security Response | 14 Feb 2013 12:05:43 GMT | 0 comments

Spanish police have reported the arrest of an individual involved with a particular strain of police Ransomware known as Ransom.EY, detected by Symantec as Trojan.Ransomgerpo.

This variant is one of the earliest active police Ransomware families, which Symantec has been tracking since at least July, 2011. The Trojan was distributed using drive by download techniques, in conjunction with the Black Hole exploit kit. Early versions of the locking screen were quite primitive but quickly evolved as the author obviously stole design ideas from other Ransomware gangs as shown in Figure 1.

...

Read more
New Adobe Vulnerabilities Being Exploited in the Wild
Symantec Security Response | 14 Feb 2013 08:59:53 GMT | 0 comments

Adobe posted a vulnerability report warning that vulnerabilities in Adobe Reader and Acrobat XI (11.0.1) and earlier versions are being exploited in the wild. Adobe is currently investigating this issue.

 

According to the FireEye blog posted earlier today, the malicious file arrives as a PDF file. Upon successful exploitation of the vulnerabilities, two malicious DLL files are dropped.

Symantec detects the malicious PDF file as Trojan.Pidief and the two dropped DLL files as...

Read more
Man Arrested in Relation to the “Remote Control Virus”
Joji Hamada | 13 Feb 2013 21:35:07 GMT | 0 comments

Back in October 2012, we published a couple of blogs about Backdoor.Rabasheeta, a back door Trojan that was used to make numerous death threats from compromised computers, resulting in four wrongful arrests. The saga may have come to an end for the malware author who had been taunting the Japanese authorities for months. On February 10, the Tokyo Metropolitan Police arrested Yusuke Katayama, a 30-year-old Tokyo resident who works for an IT company, on suspicion of forcible obstruction of business by posting anonymous online threats, although the accused has denied any wrongdoing. Katayama was also arrested and convicted in 2006 for making similar online threats to a record company...

Read more
Microsoft Patch Tuesday – February 2013
Candid Wueest | 12 Feb 2013 18:26:39 GMT | 0 comments

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing 12 bulletins covering a total of 57 vulnerabilities. Eighteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the February releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Feb

The following is a breakdown of the...

Read more
Zeus Now Setting its Sights on Japanese Online Banking Customers
Symantec Security Response | 12 Feb 2013 06:05:44 GMT | 0 comments

As we have blogged in the past, Zeus (Trojan.Zbot) and other banking Trojans have been a headache to online banking customers all over the world for years. Certain countries such as Japan have in the past escaped attacks from banking Trojans, perhaps due to the language barrier or some other unknown reason. As the National Police Agency of Japan has reported several times, Japanese online banking customers have now started to fall victim to this type of attack.

Symantec recently came across a new Zeus file targeting five major banks in Japan. Figure 1 shows part of the decrypted configuration file. The...

Read more
Cross-Platform Frutas RAT Builder and Back Door
Joseph Bingham | 11 Feb 2013 22:49:07 GMT | 0 comments

Contributor: Val S.

We recently came across a sample of a back door remote access tool (RAT) written entirely in Java. The RAT is freely distributed on underground forums, free for any registered forum user to download. It is named Frutas, which means “fruit” in Spanish.
 

Figure 1. Frutas logo
 

The Frutas RAT allows attackers to create a connect-back client JAR file to run on a compromised computer. When executed, it parses an embedded configuration file for a server IP and port to connect to. The back door builder provides some minor obfuscation, which allows the attacker to use a custom encryption key for some of the embedded back door functionalities.
 

...

Read more
Malvertising and Dynamic DNS: A Never Ending Story
abhinav_singh | 09 Feb 2013 00:00:58 GMT | 0 comments

Contributor: John Harrison

Symantec has been tracking a large malvertising campaign for over 5 months now. The campaign is still active and uses Dynamic Domain Name System (DDNS) to prevent itself from being tracked.

The campaign spread rapidly and compromised popular domains and  adult websites. High profile domains with an Alexa ranking of 5,000 or under have also been compromised. Some compromised websites were cleaned after notice from Symantec products alerted users when the sites were visited. However, many of the domains remain compromised.

The interesting thing about infections delivered through malvertising is that it does not require any user action (like clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the server it is hosted from. Infections delivered through malvertising silently travel through Web page advertisements served by...

Read more
Adobe Zero-day Used in LadyBoyle Attack
Symantec Security Response | 08 Feb 2013 20:03:18 GMT | 0 comments

Yesterday, Adobe released an out of cycle patch that fixed two zero-day vulnerabilities (CVE-2013-0633, CVE-2013-0634) for Adobe Flash Player 11.5.502.146 and earlier versions for both Windows and Macintosh. The patch was released because the zero-days were being actively exploited for attacks in the wild. Symantec recommends applying the patch immediately. 

Reports of the attack seen in the wild using CVE-2013-0634 have been dubbed “LadyBoyle” following FireEye’s initial analysis of the attack. In the analysis they identified a class file, with the name LadyBoyle, that contained the exploit code. Symantec can confirm that...

Read more
Cyber Threats Increase around Valentine’s Day
Anand Muralidharan | 08 Feb 2013 15:59:49 GMT | 0 comments

Most people are eagerly waiting for Valentine's Day. The day is an opportunity to spread affection and excitement amongst loved ones by exchanging gifts. Last year we observed prominent spam attacks using Valentine’s Day as bait. Messages promoted unbelievably discounted jewelry, dinning opportunities, and expensive gifts.

This year, various Valentine’s Day spam messages have started flowing through Symantec’s Probe Network. The top word combinations used in spam messages include the following:

  • Find-Your-Valentine
  • eCards-for-Valentine
  • Valentine’s-Day-Flowers

The e-card spam message, shown in Figure 1, arrives with a malicious attachment called ValentineCard4you.zip. After opening the attachment, malware is downloaded on to the user's computer. Symantec detects the attachment as...

Read more