Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence
Showing posts in English
Nick Johnston | 27 Sep 2011 | 0 comments

In the Symantec Intelligence blog we've covered how spammers like to conceal their actual spam sites through elaborate chains of redirects, often involving hacked or compromised sites, URL shortening sites, obfuscation techniques, or combinations of all of these.

We've recently seen spammers exploiting a vulnerability in WordPress, the popular open-source blogging software running on thousands of servers worldwide. Spammers are using the WordPress platform to compromise a Web server, placing a file deep within the WordPress directory structure, presumably in an attempt to avoid (or at least delay) detection. The buried file is a simple HTML page, usually containing text like "Page loading" which is briefly shown before a HTTP “meta refresh” is used to redirect users to the spammer's "Canadian Health&Care Mall" Web site, as shown in figure 1:

<meta http-equiv="refresh" content="0; url=http://[new...
Paul Wood | 19 Sep 2011 | 0 comments

The word ‘Nimda’ may not be the most well remembered in the cyber-crime hall of fame but as malicious worm outbreaks go, Nimda certainly contributed to the malware landscape and was able to cause havoc on 18 September, 10 years ago in 2001.

Long before cloud based security services were the norm and virus scanning was only performed once a week, the Nimda worm was effectively unleashed onto the global computer network exactly a week after the 9/11 atrocities. Because of this timing, some media quickly began speculating a link between the worm and Al Qaeda, although this rumour was quickly quashed by the FBI, but it did highlight the fact that cyber warfare can be a real threat carefully orchestrated by sophisticated cyber gangs or even terrorists and not script kiddies tucked away in dormitories.

The Nimda worm came hot on the heels of the “Code Red” scare in August 2001, when a variant of the original worm infected more than 250,000 machines...

Nick Johnston | 08 Sep 2011 | 0 comments

As we've covered extensively on the Symantec Intelligence blog in the past, 419 or advance fee fraud scammers are highly skilled at using current events to their advantage. Recently we have seen scams taking advantage of unrest in Libya, the devastating March 2011 earthquake in Japan, and other events.

419 or advance fee fraud works by promising the recipient a vast sum of money, but before any money is paid, various (and increasingly inventive) up-front fees are demanded until the victim realises they've been duped, and give up. The promised vast sums of money never materialise.

This scam claims that the recipient has been awarded $2.5m in a lottery connected with the 2011 Rugby World Cup:

Of course, the lottery is fake. There is no lottery for the tournament, and this message is simply a scam.

The tournament starts Friday 9, September in New Zealand, so interest and...

Nick Johnston | 05 Sep 2011 | 0 comments

In February this year the Symantec Intelligence Blog covered how 419 or advance fee fraud scammers were using the unrest in Libya to their advantage. As we've extensively covered in the past on the blog, 419 scammers are skilled at using current events to their advantage. For example, scammers have taken advantage of the devastating March 2011 earthquake in Japan as well as other natural disasters and other current events.

The scam message we found in February claimed to be written by someone connected to Libya's Senussi crown, which was overthrown by Muammar al-Gaddafi in his 1969 coup d'état. Since then, we have seen several more messages, exploiting the unrest in different ways, but still following the general 419 or advance fee fraud pattern of demanding endless upfront fees from victims, with vast promised payouts never materialising.

One scam, where the scammer pleads "please read this carefully", claims to be sent by a wealthy...

Bhaskar Krishna | 10 Aug 2011 | 0 comments

Posted on behalf of Bhaskar Krishnappa

Last week Symantec Intelligence blogged about the new tactics applied by Bredolab, especially the start-code obfuscation and hack pack approach.

The past 24 hours of our e-mail scanning engine and monitoring tools have reported a huge run of Bredolab malware. The most interesting part of this blog is our scanners have seen two different samples (Md5sum: f8527fc91329e282c261331303dbaa82 and Md5: ea9ad01c0e8d58c3a5cd8666568201f4), run in different subjects and names to sneak through the mail scanning engines and spam signatures.

We do have interesting stats showing subject v/s the count and attachment names used by attackers to compose the mail pretending to be arriving from well known parcel services and money transfer services.

We have seen more than 300 copies of the sample (Md5sum: f8527fc91329e282c261331303dbaa82) which is...

Lee_Rothman | 09 Aug 2011 | 0 comments

A good service level agreement (SLA) can be an effective tool for helping SaaS providers and customers manage expectations, clarify responsibilities, and objectively assess service effectiveness. If well-defined, an SLA will clearly identify the performance metrics and expectations that guarantee the service.  In some cases, SLAs may offer vague metrics, loose definitions and incomplete information that can be open to misinterpretation.

As you consider your technology investment, keep these important considerations in mind: 

  • Put it on the wish list – Many organizations purchase technology without considering an SLA or they make it an afterthought. Make sure SLAs are included as part of your search for the right solution and are discussed up front during the decision-making process. The SLA may just be among the differentiators.
  • ...
| 03 Aug 2011 | 1 comment

Posted on behalf of Bhaskar Krishnappa

Symantec has blogged about the Bredolab malware in the past and its method of infection with the goal of creating awareness in innocent users. Apart from blogs Symantec has also published a research paper explaining how the malware works, why it’s so widespread and the motivations behind it.

This post focuses on why this threat is still a challenge for AV vendors to comprehensively detect.

What does Bredolab bring in?

The latest Bredolab samples are downloading and installing rogue security products on victim’s machines for financial gains as shown below in step: 1 and step: 2...

Nick Johnston | 02 Aug 2011 | 0 comments

by Francisco Pardo and Nick Johnston

Spammers are never idle when it comes to finding new ways to bypass mail filters--after all, this is crucial to a spammer's success.

Recently we've seen a low, but steady, number of spam messages where spammers are replacing characters in URLs (which point to spam sites) with Unicode characters which look similar or identical. This is yet another way of obfuscating URLs in an attempt to make it more difficult to analyse URLs. To understand how this technique works, a bit of knowledge of the Unicode standard is helpful. As well as specifying a large repertoire of characters, Unicode also provides normalisation rules for converting similar and/or equivalent characters to a single form. For example, under various Unicode normalisation forms, an encircled number is considered equivalent to the corresponding ordinary number. This latest spammer obfuscation technique relies on the HTML rendering engine in mail clients (or web...

Ken Bechtel | 01 Aug 2011 | 2 comments

In the past few days, many people in the Anti-Malware community seem to be discussing user education again.  Based on these discussions, I felt it a good time to update an older work and re-release it, in hopes that it helps educate our user community.

Ten Rules of Common Sense Anti-Virus

  1. Buy and keep up-to-date, Anti-Virus Software.  If you fail to keep it up-to-date, you might as well not have anything at all.
  2. Just because you trust a person with your house key, doesn’t mean they practice safe computing. If you don’t know why they are sending you a file, don’t double click on the attachment, ask why it was sent.  Beware of sensational headline news links on social networks.  A healthy dose of paranoia will save you time, energy and frustration.
  3. Recordable CDs and removable Hard Drives are cheap, your data’s not.  With a CD...
Nick Johnston | 13 Jul 2011 | 0 comments

By Nicholas Johnston

As we've covered extensively on the MessageLabs Intelligence blog, 419 or advance fee fraud scammers are skilled at using current events in their scams. In the past we've seen scams relating to earthquakes in Japan and Haiti, and scams relating to the recent unrest in Egypt and Libya.

We recently saw a 419 scam claiming to be from Christine Lagarde, the newly-appointed director of the IMF (International Monetary Fund). The scam follows the usual 419 or advance fee fraud pattern. The scammer claims to be Christine Lagarde, and is releasing all "intercepted consignments" in celebration of her appointment. The catch (or "Rule and Obligation", as the mail puts it) is that to get one of these mysterious consignments, you have to pay a fee of $45 to the IMF in Benin. Of course, this $45 will simply be the first of many increasingly-inventive fees and charges that the scammer demands.

The message was sent through a...