Symantec Intelligence

The Symantec Intelligence Blog published by serves as a conduit for communicating Intelligence data, trends and statistics based on analysis of cyber security threats, trends and insights from the Symantec Intelligence team comprised of many world-renowned malware and spam experts. Sitting on the front lines of defense, they have a global view of threats across multiple communication protocols drawn from the billions of web pages, email and IM messages they monitor each day.

Follow Us on Twitter
  • 0
    Created: MarissaVicario 21 Sep 2010

    Javascript Exploit on Twitter

    Posted on behalf of Mathew Nisbet, Malware Data Analyst Today there has been a lot of traffic on Twitter related to a very recently discovered Javascript exploit. It took advantage of the way Twitter handled Javascript in updates. Most of the exploits seen used the "onmouseover" trigger, which meant that all a user had to do was move the mouse over a tweet and the code would run. Most would just repost the same thing to your own wall, some would repost and redirect the user to another site. There were some examples of users being redirected towards porn sites. The fact it only needed a cursor to move over it is why it spread so very rapidly all over the world, before people knew what was happening. More info and screenshots can be found in this F-Secure blog: Users of the...
  • 2
    Created: MarissaVicario 17 Sep 2010

    PDF Zero-day Targeted Attack Practically Unnoticed due to ‘Here You Have’ Virus

    Posted on behalf of Bhaskar Krishnappa, Malware Analyst, Symantec Hosted Services This month, the security world has witnessed two major threats that occurred around the same time. The first one was the mass mailer worm “Here You Have” (W32.Imsolk.B@mm), and this was well documented in the media, but the other was a lesser-known attack, exploiting a zero-day vulnerability in the PDF file format (CVE-2010-2883). In both events, Symantec Hosted Services protected all of its MessageLabs customers proactively, giving them an upper hand over their would-be attackers. This blog is to caution its readers about such email threats. On September 9, as the world...
  • 2
    Created: Paul Wood 10 Sep 2010

    “Here you have” Mass-mailing virus returns to old-school tactics

    By Tony Millington, Malware Operations Engineer, Symantec Hosted Services On September 9, 2010 at 15:20 (GMT) MessageLabs Intelligence identified and began blocking a new virus attack using old mass-mailer techniques. Using Skeptic’s patented heuristics, Symantec Hosted Services customers, using MessageLabs Hosted Email AntiVirus, were fully protected from this threat from the outset. As a hosted solution in the cloud, the mass mailer worm was detected using Skeptic’s unique predictive heuristics and it was blocked before it reached clients’ networks – this means that there was no need for customers to update patches or virus definitions.  The heuristic rule that triggered the detection of this virus by Skeptic was actually added in 2008. At its peak Symantec Hosted Services were blocking over 2,000 malicious emails per a minute. The last copy was blocked on September 10, 2010 at 08:33 GMT, during which time 106,390 copies were...
  • 0
    Created: MarissaVicario 03 Sep 2010

    Cutwail Takedown Cripples Bredolab Trojan; No Effect on Spam Levels

    Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services The Cutwail botnet has been one of the most prolific spamming botnets during the last two to three years.  Even before the McColo ISP takedown in November 2008, Cutwail represented between ten and 15 percent of all global spam.  Cutwail was almost certainly disrupted by the takedown of McColo, but came back bigger and stronger in response. At its peak at the start of June 2009, Cutwail was responsible for more than 45 percent of all spam and between 1.4 and 2.1 million bots under its control. In June 2009 and August 2009, Cutwail took some more notable hits, as rogue ISPs were identified and shut down. We reported what happened to Cutwail as a result of the 3FN takedown in the June 2009 MLI report...
  • 0
    Created: MarissaVicario 30 Aug 2010

    Unusual Phishing Scam Disguised as Fast Food Restaurant Survey Aims to Steal Financial Information

    Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec Hosted Services MessageLabs Intelligence has recently seen an interesting variant on normal bank and other financial institution phishing. This particular phish message encourages the recipient to receive 90 dollars by completing a survey sponsored by a fast food restaurant. This scam is different than normal phishing where phishers often impersonate banks and other financial institutions, claiming that the victim's account has been temporarily disabled, requiring some kind of action to restore it. The use of a well-known, unrelated, trusted third-party fast food restaurant brand as a vector for stealing confidential information is relatively new. It appears that this phish was aimed at users in New Zealand. Our analysis shows that most of the recipients where in Australia or New Zealand, the URL of the site included, presumably a very poor attempt by the phishers to try to fool people...
  • 0
    Created: MarissaVicario 25 Aug 2010

    Dating scammers can be ingenious

    By Yuriko Kako-Batt, Malware Analyst, Symantec Hosted Services Dating scams are a common spam email problem.  Spam relating to sex or dating currently accounts for approximately 4 percent of global spam.  In a typical scam, a recipient (male or female) would receive an email from a stranger and the email might say something along the lines of: “I found your information on a website. I think you are my true love…write back to me soon”.  If the recipient replies to the email, the scammer would begin to write to them with stories about their family, their background and how much they love the recipient; any number of subjects are discussed, and flattering/suggestive comments are made, until at some point the attacker feels that the potential victim has been socially engineered to the point that they trust the attacker....
  • 1
    Created: MarissaVicario 25 Aug 2010

    Scareware Haunts Airport Internet Terminals

    Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec Hosted Services This year, people traveling by air have had to contend with disruption caused by the volcanic ash cloud from the Eyjafjallajökull eruption in Iceland, industrial action and tour operators collapsing. But while traveling ourselves, we noticed another threat: airport Internet terminals infected with malware. Many airports have public Internet terminals for passengers without their own laptops to check email or browse the Web. In a large airport in England, we noticed one terminal with an usual "Defense Center Installer" dialog box. "Defense Center Installer" is a fake anti-virus software, also known as "scareware". This type of malware claims that a user is infected with a virus, and encourages them to buy the full version of the software to clean the fictitious infection. It's also common for this type of malware to try to uninstall...
  • 0
    Created: Daren Lewis 23 Aug 2010

    August Botnet Distribution

    In the August 2010 MessageLabs Intelligence report (available here on Tuesday) we present our analysis of the top botnets globally. An analysis of individual bot IP addresses allows mapping of the physical location of bots. This animation allows you to view the variation in geographic concentrations of bots between the top five botnets as reported in the August report: Rustock Grum Cutwail Mega-D Lethic The animation displays each botnet for two seconds. To see an interactive version vist: Bots are widely distributed globally with greater prevalence in those areas with high levels of computer and broadband adoption. In this analysis, with the bots localized to...
  • 0
    Created: MarissaVicario 16 Aug 2010

    Image Spam

    Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Service The use of images in spam is well known, and has been going on for as long as it has been possible to send images in email messages. There are many reasons for using images in email, from simply making the email more interesting, or adding a look of professionalism, to attempting to evade text based spam filters and signatures. The use of remote images in particular has been steadily increasing over the last 16 months. In remote images, the image is not actually contained within the email itself. Instead the email uses HTML to link to a remotely hosted image, which most modern email clients will render just like a web browser. There are good reasons a spammer would want to use remotely hosted images. First, they can change the content of a spam run at any time without having to update templates or make any...
  • 0
    Created: MarissaVicario 10 Aug 2010

    Personalized Spam

    Posted on behalf of Mathew Nisbet, Malware Data Analyst Spammers use many tactics to add legitimacy to their emails. One technique used is the personalization of their spam, where the spammer will add text to the email that specifically mentions the recipient, a technique often used in legitimate marketing campaigns. A legitimate marketing email from a well known company will usually include the recipient’s name. In this case the marketer will likely have access to the users’ personal information because the user has signed up to receive their newsletter or is a previous customer. For a spammer, obtaining personal information is not so simple. An easy way for them to get a similar effect though, is to simply use the email address to which they are sending. While this is not a name, it can have the same effect by making the email appear it was sent in accordance with a legitimate mailing list, rather than spamming at random. This can be a...