Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Syrian Regime’s Opposition Gains Phishers’ Sympathy
Mathew Maniyara | 04 Feb 2013 18:27:27 GMT | 0 comments

Contributor: Avdhoot Patil

Recently, cybercriminals have been focusing on the conflict in Syria to incorporate current events in their cyber warfare. In December 2012, phishers mimicked the website of a well-known organization in the gulf with the motive of stealing a user's email login credentials. The phishing site asked users to support the Syrian opposition by casting their vote against the Syrian regime. The phishing pages were in Arabic and the phishing site was hosted on servers based in Dallas, Texas, United States.

The phishing site asked users if they wanted to criminalize the Syrian regime for the murder of innocent people. As seen in the image below, options were provided to agree or disagree. If the agree option was selected, the phishing site prompted users to select their email service provider, from a list of four popular providers, and then login in order to cast their vote.
 

...

Read more
Backdoor.Barkiofork Targets Aerospace and Defense Industry
Satnam Narang | 30 Jan 2013 23:01:00 GMT | 0 comments

Contributor: Joseph Bingham

A few weeks ago, we observed a spear phishing campaign targeting groups in the aerospace and defense industry. We identified at least 12 different organizations targeted in this attack. These organizations include aviation, air traffic control, and government and defense contractors.
 

Figure 1. Spear phishing email targeting aerospace and defense industry
 

In choosing their targets, the attackers identified individuals in important roles, including directors and vice presidents. The content of all the emails were identical. The attackers used a report published in 2012 regarding the outlook of the aerospace and defense industries as the lure. The intention of the attackers was to make...

Read more
Gift of Trojan.Smoaler Delivered Through Fake FedEx Emails
Shunichi Imano | 29 Jan 2013 22:10:05 GMT | 0 comments

Symantec Security Response is aware that fake FedEx emails have been circulating recently. The emails claim the user must print out a receipt by clicking on a link and then physically go to the nearest FedEx office to receive their parcel. Obviously the parcel does not exist and those who click on the link will be greeted by a PostalReceipt.zip file containing malicious PostalReceipt.exe executable file. Instead of receiving a parcel, which the user did not order in the first place, Trojan.Smoaler is delivered to the computer.

All the fake FedEx emails delivering this malware are almost identical except for the order numbers and the website the zip file is hosted on. One sign of laziness, or perhaps an oversight on the part of the malware author, is an consistent order date. The author does change the domain where Trojan.Smoaler is hosted daily. The following emails were spammed out...

Read more
Malicious Spam Emails Target Nightclub Disaster in Santa Maria
Anand Muralidharan | 29 Jan 2013 13:00:20 GMT | 0 comments

Symantec Security Response has observed that spammers are distributing malicious emails that attempt to lure users into viewing a video of the incident that killed 233 people recently in a horrific tragedy at a popular nightclub in Santa Maria, Brazil. The malicious email is in Portuguese and invites unsuspecting users to click on a link to watch a video of the tragedy. The link provided in the email downloads a zip file containing a malicious control panel file as well an executable file. Symantec detects this threat as Trojan Horse.

Further analysis of the malicious file shows that the threat creates the following file:

%SystemDrive%\ProgramData\ift.txt

It also alters the registry entries for Internet Explorer.

The threat then downloads an IE configuration file from a recently registered domain. Trojan Horse is usually a backdoor Trojan, downloader, or an...

Read more
Upswing in Ransomware Activity
Symantec Security Response | 28 Jan 2013 04:44:17 GMT | 0 comments

As we predicted toward the end of last year, we are once again seeing an upswing in ransomware activity in 2013. The ransomware extortion scam has been in existence now for a number of years but its popularity among cybercriminals has grown over the last two years and it continues to indiscriminately plague computer users in greater numbers. Symantec has tracked this growing menace in various blogs, a whitepaper, and a video.

In the last week Symantec has observed a new spike in ransomware activity being seen worldwide. While several variants of the ransomware threat are responsible for the overall spike, the main ransomware variant being observed is...

Read more
Trojan Horse Using Sender Policy Framework
Takashi Katsuki | 25 Jan 2013 21:20:27 GMT | 0 comments

It is important for malware authors to keep a solid network connection between their malware on compromised computers and their own servers so that the malware can receive commands and be updated. However, communication between the malware and the malware servers may be filtered by a gateway or local firewall, or blocked by an intrusion prevention system (IPS). Consequently, malware authors try to find more secure methods of providing communication between the malware and the servers. For example, I wrote a blog last November detailing how Backdoor.Makadocs uses the Google docs viewer function as a proxy to maintain a solid connection between the malware and its servers. More recently, I discovered a Trojan horse that uses Sender...

Read more
MDK: The Largest Mobile Botnet in China
Flora Liu | 24 Jan 2013 03:05:39 GMT | 0 comments

In February 2012, we blogged about Android.Bmaster (a.k.a. Rootstrap), which infected hundreds of thousands of devices. At that time, it was the largest mobile botnet documented to date. Recently, the Bmaster botnet has been overtaken by the newly uncovered MDK botnet. Dubbed as Android.Troj.mdk, Kingsoft believes it is hidden in more than 7,000 apps and has infected up to one million devices.

Symantec’s analysis suggests the MDK Trojan is a new variant of Android.Backscript. Our detection for this threat family has been in place since September 2012. The code of MDK is very similar to Android.Backscript and they use the same certificate to...

Read more
Trojan.Pandex – A New Spam Affair
Santiago Cortes | 24 Jan 2013 00:42:20 GMT | 0 comments

Contributor: Lionel Payet

Last week we saw how W32.Waledac was getting cozy with W32.Virut, but let us not forget about other spam botnets, like Trojan.Pandex (a.k.a. Cutwail), as they also persist in their propagation affairs.

The people behind W32.Cridex have used many attack vectors to spread the malware, including taking advantage of exploit kits like Blackhole, or attempting to deceive users with crafted PDF documents. This month they have managed to compose a more elaborate attack.

The attackers have...

Read more
Downloader Targets Down Under
Val S | 22 Jan 2013 20:18:13 GMT | 0 comments

At the time of this blog post, and for the past five days, we have noticed an increase in spam containing malware that targets Australians. The attackers behind this malicious spam campaign appear to have no specific target in mind other than compromising a large base in Australia for reasons still unknown. Symantec Security Response has observed two separate versions of this campaign purporting to be from Australian organizations and targeting Australian users.

In this following example, an email pretends to be from the "Australian Taxation Office" with the subject line "Tax Agent Report – Delayed Tax Returns" and contains a 'Tax Report.zip' attachment file. Inside the zip file is a TaxReport.xls.exe malicious executable file.
 

...

Read more
Android.Exprespam Potentially Infects Thousands of Devices
Joji Hamada | 21 Jan 2013 15:08:37 GMT | 0 comments

Android.Exprespam was discovered at the beginning of January and has only been around for about two weeks, but the scammers seem to be having a lot of success with the malware already.  Symantec has acquired some data that has allowed us to get an idea of how successful Exprespam may be in scamming Android users into providing personal data. The data obtained, which is only a portion of the complete data, indicates that the fake market called Android Express’s Play has drawn well over 3,000 visits in a period of a week from January 13 to January 20.

Based on several sources*, I calculated that the scammers may have stolen between 75,000 and 450,000 pieces of personal information.

Figure 1. ...

Read more