Video Screencast Help
Search Video Help Close Back
to help

Symantec Intelligence

Showing posts tagged with Messaging Gateway
Showing posts in English
Malicious emails masquerade as office printer messages
Bhaskar Krishna | 27 Sep 2011 | 1 comment

Some of the newest printers have scan-to-email ability, a feature that allows users to email scanned documents to a specified email address on demand. Symantec Intelligence has identified malware authors using social engineering tactics that take advantage of this, sending executables in a compressed “.zip” archive via email. The attachment contains an executable disguised as a scanned document from a printer, as shown in the example in figure 1, below.
 

Figure 1: Example of malicious email masquerading as a scanned document sent from an office printer

In each case the sender domain was spoofed to match the recipient domain, sometimes appearing as though forwarded to the recipient by a colleague at the same organization, implying that this email originated internally.
To be clear, office printers and scanners will not send malware-laden...

Read more
Spammers exploit WordPress vulnerability to promote pharmaceutical spam Web sites
Nick Johnston | 27 Sep 2011 | 0 comments

In the Symantec Intelligence blog we've covered how spammers like to conceal their actual spam sites through elaborate chains of redirects, often involving hacked or compromised sites, URL shortening sites, obfuscation techniques, or combinations of all of these.

We've recently seen spammers exploiting a vulnerability in WordPress, the popular open-source blogging software running on thousands of servers worldwide. Spammers are using the WordPress platform to compromise a Web server, placing a file deep within the WordPress directory structure, presumably in an attempt to avoid (or at least delay) detection. The buried file is a simple HTML page, usually containing text like "Page loading" which is briefly shown before a HTTP “meta refresh” is used to redirect users to the spammer's "Canadian Health&Care Mall" Web site, as shown in figure 1:

<meta http-equiv="refresh" content="0; url=http://[new...
Read more
Nimda – the worm finds new tricks
Paul Wood | 19 Sep 2011 | 0 comments

The word ‘Nimda’ may not be the most well remembered in the cyber-crime hall of fame but as malicious worm outbreaks go, Nimda certainly contributed to the malware landscape and was able to cause havoc on 18 September, 10 years ago in 2001.

Long before cloud based security services were the norm and virus scanning was only performed once a week, the Nimda worm was effectively unleashed onto the global computer network exactly a week after the 9/11 atrocities. Because of this timing, some media quickly began speculating a link between the worm and Al Qaeda, although this rumour was quickly quashed by the FBI, but it did highlight the fact that cyber warfare can be a real threat carefully orchestrated by sophisticated cyber gangs or even terrorists and not script kiddies tucked away in dormitories.

The Nimda worm came hot on the heels of the “Code Red” scare in August 2001, when a variant of the original worm infected more than 250,000 machines...

Read more
Spammers take advantage of Unicode normalisation to hide URLs
Nick Johnston | 04 Aug 2011 | 0 comments

by Francisco Pardo and Nick Johnston

Spammers are never idle when it comes to finding new ways to bypass mail filters--after all, this is crucial to a spammer's success.

Recently we've seen a low, but steady, number of spam messages where spammers are replacing characters in URLs (which point to spam sites) with Unicode characters which look similar or identical. This is yet another way of obfuscating URLs in an attempt to make it more difficult to analyse URLs. To understand how this technique works, a bit of knowledge of the Unicode standard is helpful. As well as specifying a large repertoire of characters, Unicode also provides normalisation rules for converting similar and/or equivalent characters to a single form. For example, under various Unicode normalisation forms, an encircled number is considered equivalent to the corresponding ordinary number. This latest spammer obfuscation technique relies on the HTML rendering engine in mail clients (or web...

Read more
Welcome to the new-look Symantec Intelligence Report
Paul Wood | 28 Jun 2011 | 2 comments

Welcome to the June edition of the Symantec Intelligence report, which for the first time combines the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report.  The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks.

Since the shutdown of the Rustock botnet in March, spam volumes have never quite recovered as the volume of spam in global circulation each day continues to fluctuate, as shown in figure 1, below.

The overall impact has been that spam now accounts for 72.9% of email in June, returning to the same level as in April earlier this year. In June, 76.6% of this spam was being sent from botnets, compared with 83.1% in March. This marks a return to the same level of output as at the end of 2010...

Read more