Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Symantec Intelligence

Showing posts in English
Ben Nahorney | 10 Dec 2012 | 1 comment

It seems that everywhere you turn this year, there’s news of another data breach. Sometimes it’s a laptop stolen, other times it’s hackers compromising a database. No matter how they occur, each breach leads to someone’s identity being exposed. Whether or not this exposure leads to identity theft, there’s no doubt that the risk involved, and the frequency that these breaches are occurring makes data breaches one of the top security issues of 2012.

In this month’s Symantec Intelligence Report, we examine the types of data that is often stolen during a data breach. It turns out the most commonly stolen information is more personal than you might first expect: a person’s real name is more likely to be stolen than a username or password.

Overall, the median number of identities stolen per breach...

Takashi Katsuki | 19 Nov 2012 | 0 comments

Initially, I thought that Backdoor.Makadocs was a simple and typical back door Trojan horse. It receives and executes commands from a command-and-control (C&C) server and it gathers information from the compromised computer including the host name and the operating system type. Interestingly, the malware author has also considered the possibility that the compromised computer could be running Windows 8 or Windows Server 2012.

Figure 1. Operating Systems check

Windows 8 was released in October of this year. This is not necessarily a surprise for security researchers as we always encounter new malware when new...

Paul Wood | 13 Nov 2012 | 0 comments

In this month’s report we investigate a new social networking avenue that scammers are attempting to leverage: Instagram. They’re doing so in order to gather personal details and persuade users to sign up for premium-rate mobile services, among other things, generally by creating fake accounts:

The scams take on a number of forms, from spam comments, to fake followers, to liking photos in the hopes people will check out their profiles, which in turn often contain more spam links.

We’ve also noticed a significant drop in email spam volumes this month. The global spam rate has dropped by more than 10%, from 75% of email traffic in September, down to 64.8% in October. It’s good news overall, resulting in a 50 percent drop in spam volume over a two-month period.  We take a look at some of the likely causes for this significant drop.


Kazumasa Itabashi | 06 Nov 2012 | 0 comments

W32.IRCBot.NG and W32.Phopifas

In a previous blog, my colleague Kevin Savage detailed a social engineering attack that utilized instant messaging applications. While the infection rates of W32.IRCBot.NG and W32.Phopifas have passed their peaks, the modules continue to be updated daily.

The infection routine of these threats has not changed since they were discovered, but the threat authors have added new file-hosting sites to use in order for the threats to be downloaded. W32.IRCBot.NG attempts to steal passwords that are used to log into the file-hosting sites from compromised computers. In addition, some modules are located on the servers of virtual server services and...

Paul Wood | 08 Oct 2012 | 1 comment

In this month’s report, we take a look at an often-overlooked side of malicious code: how attackers administer the Web servers that they use to spread spam and malicious code. We highlight a PHP-based tool in particular that is often used to control and manipulate the configuration of these Web servers.

The tool can run arbitrary PHP code, brute force file transfer and database accounts, and even allows quick access to Web server configuration files so that the attacker can edit them in order to suit their malicious needs. The attacker can easily obfuscate his or her code, making its function less apparent if viewed by the legitimate server admins. We’ve witnessed this tool being used to create spam-related websites and hosting exploit pages to compromise further computers.

We also take a look at a rather interesting Android application that attempts to trick the user into thinking that they can charge their device with nothing but the rays of the sun. The...

Nick Johnston | 21 Sep 2012

Special thanks to Sian John for reporting the scam.

We recently saw some malicious fake antivirus software. Such software often goes by generic names like “Windows Defender” or similar, but this particular software claims to be a Symantec product. An email claims that not only is the recipient infected—all users on the same network are as well. The email uses out-of-date Symantec branding, and links to a malicious application called RemovalTool.exe. Symantec does not produce a tool like this, nor does it email users in this way.

If a user downloads and executes the tool, a dialog box posing as a Java update, appears:

One clue that this is a fake update is that it refers to Sun Microsystems, which developed Java, but was acquired by Oracle several years ago. In addition, the...

Paul Wood | 11 Sep 2012 | 1 comment

A data breach—the accidental or unauthorized release of private information—is a serious issue for an organization these days. The exposure of customer data can lead to a significant loss of a user’s confidence in the organization. Even worse, the organization could find itself in violation of data privacy laws or on the receiving end of a lawsuit created by its users.

We decided to take a look at the current state of data breaches in the August Symantec Intelligence Report, comparing the first eight months of 2012 against the last eight months of 2011. At first glance it appears that attacks are down—while the overall number of breaches stayed about the same, the average number of identities stolen per breach is down by almost half.

However, this can be attributed to a handful of very large data breaches in our 2011 data set...

Symantec Security Response | 10 Sep 2012 | 0 comments

In 2009, we saw the start of high profile attacks by a group using the Hydraq (Aurora) Trojan horse. We've been monitoring the attacking group's activities for the last three years as they've consistently targeted a number of industries. These attackers have used a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs. These attackers are systematic and re-use components of an infrastructure we have termed the "Elderwood Platform". The term "Elderwood" comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy zero-day exploits. The attacking methodology has always used spear phishing emails but we are now seeing an increased adoption of "watering hole" attacks (...

Bhaskar Krishna | 22 Aug 2012 | 0 comments

As we are all aware, Adobe released security updates for Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh, and Linux. These security updates address the Adobe Flash Player CVE-2012-1535 Remote Code Execution Vulnerability that could cause the application to crash and potentially allow an attacker to take control of the compromised computer. Adobe has also stated that there are reports of the vulnerability being exploited in the wild in limited targeted attacks distributed through malicious Word documents.


We have observed these threats since August 10, 2012, and to-date we have successfully blocked more than 1,300 samples. The first sample we saw arrived with the email subject “...

Paul Wood | 07 Aug 2012 | 1 comment

Attacks use Olympics as bait for spam, malware and phishing attacks; the state of Web attack toolkits in 2012

The Olympics is one of those rare occasions where the entire world comes together, setting aside various differences for the competition. The Games are a chance for each country to put their best foot forward and demonstrate their athletic skill and prowess. No doubt this spirit of goodwill generates a significant amount of excitement for athletes and spectators alike when it comes around every four years.

Unfortunately, it’s exactly this goodwill that attackers are attempting to prey upon. In this month’s Symantec Intelligence Report, we take a look at how attackers are using Olympic themed hashtags on Twitter to spread malicious code, bundling threats with popular Olympic-themed Android apps, and creating spam and phishing scams that pretend to be contests sponsored by credit card companies—all in the hopes...