Video Screencast Help
Symantec Intelligence
Showing posts in English
MarissaVicario | 26 Mar 2010 | 0 comments

By Dan Bleaken, Malware Data Analyst, Symantec Hosted Services

MessageLabs Intelligence analysts found a 419 scam today that is a little different from the majority of 419s.

The basic premise of a 419 scam (also commonly referred to as an advance fee fraud scam) is that the recipient is entitled to, or has won a large sum of money, and in order to get the money, they need to contact someone (usually a webmail address but sometimes a phone number), or email personal details to a webmail address.  

As well as it being highly likely that the recipient’s email address would then be added to the  scammers’ list of targets (lining up the recipient for many more scam emails in future), the next stage would almost certainly be for the scammers to phone or email back, to get the victim to send an advance fee, in order to release the supposed money.  As is so often the case with advance fee fraud scams or 419s, the initial email is just the...

Daren Lewis | 25 Mar 2010 | 1 comment
Posted on behalf of Greg Leah, Dan Bleaken, Seth Hardy, Jo Hurcombe & Tony Millington

Symantec Hosted Services analysts spotted a blocked targeted attack yesterday that uses the FIFA World Cup 2010 to encourage the recipient to open a malicious PDF attachment.  It uses a very fresh vulnerability in Adobe Reader.
First some background on targeted attacks.

What is a targeted attack?
  • Probably the most damaging type of internet threat
  • Takes place via email
  • Designed to target a specific individual or organisation
  • Aim is to extract sensitive/valuable information
  • Used to gain competitive advantage, blackmail, harm reputation, gather intelligence/spy, steal secrets/designs/ideas, other information

How is it done?
  • First the attacker performs...
MarissaVicario | 24 Mar 2010 | 0 comments

Posted on behalf of Dan Bleaken, Malware Data Analyst and Nick Johnston, Senior Software Engineer, Symantec Hosted Services

This week MessageLabs Intelligence noticed some eye-catching artwork from spammers.  

‘ASCII art’ is the use of the ASCII character set (just under 100 characters available on standard keyboards), to produce a picture.  

For example:

Over the years ASCII art has been used sporadically in spam.   Spammers use it as a way to obfuscate words, presenting messages written in ASCII art rather than simple text.  This often frustrates attempts by some of the more basic anti-spam technology to recognise certain phrases.  The same thinking is behind the use of images containing text....

Daren Lewis | 17 Mar 2010 | 0 comments
Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services

Normally in the run-up to any popular event we would expect to see a flurry of spam subjects and themes using that event. It happens all the time around events like Christmas, the olympics, and so on. One such event that is extremely popular in many parts of the world is St. Patrick's day, so naturally we expected to see an increase in the amount of spam using the subject of the upcoming St. Patrick's day celebrations to try and get people's attention.
However we were surprised to find that this time, the rise of related subjects just hasn't happened! There are of course still some spam appearing on the theme of St. Patrick's day, but for the most part these seem to be the same old generic pharmaceutical spam mails with a themed subject line. All of them together made up 0.003% of spam on the 16th March. So far on the 17th (St. Patrick's...

Daren Lewis | 16 Mar 2010 | 0 comments

Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services

There is a huge variety in the types of spam that are sent all over the internet, but there are patterns to be found in the chaos.
One way to see patterns is to look at the words most commonly used in spam. If we take a random sample of global spam over a one week period, then there is quite a jumble of topics, but even through all the noise you can see certain words still stand out, as illustrated here (the larger a word, the more often it occurs):
As you can see, the popular words are fairly generic but all seem to be geared towards encouraging an immediate reaction, trying to get some sense of urgency. This is further indictaded by the fact that 5 of the top 6 words have an exclamation mark. Spammers like to create a sense of urgency in their messages,...

MarissaVicario | 10 Mar 2010 | 0 comments

Posted on behalf of Dan Bleaken, Malware Analyst, Symantec Hosted Services

In the past few days we have noticed that the Rustock botnet has been sending a lot more spam using TLS (Transport Layer Security). TLS is the successor to SSL and is a popular way of sending email through an encrypted channel, rather than sending it in the clear like most emails are sent. MessageLabs Intelligence tracks the use of TLS in order to determine how much spam is sent over TLS, and which botnets are sending it.

Not all mail servers force clients to use TLS, but it is frequently used for securing the communications channel between the client email sender and the email server to which the message is being delivered. It prevents eavesdropping of email traffic that would otherwise be sent in plain sight for anyone else on the network to see if they so wished, perhaps using network analysis tools.  Some businesses mandate TLS for remote clients, for example, an employee connecting...

Paul Wood | 01 Mar 2010 | 2 comments

By Yuriko Kako-Batt, Anti-spam Analyst, Symantec Hosted Services

Spam is one of the biggest problems for all of people who are using email. And what we imagine when we think of the word of “spam” can be different for all of us and may include spam for dating, fake lotteries, fake designer brands, counterfeit watches, free software – and the list goes on. There are various types of spam that we all receive in our mailboxes every day, and I would be surprised if you had never received “Pharmaceutical spam” that includes hyperlinks leading to websites where you can buy your “little blue pills” without prescription.

This “Pharmaceutical spam” now accounts for more than 65% of all spam, as can be seen in the chart below.  This type of spam is almost always delivered some of the largest spam-sending botnets, including Rustock, Grum, Cutwail, Donbot.  


MarissaVicario | 25 Feb 2010 | 0 comments

Posted on behalf of Tony Millington, Malware Operations Engineer, Symantec Hosted Services

MessageLabs Intelligence tracked a new targeted attack yesterday using emails pretending to be from the New York Times sending out it's "Times Reader" software hitting six different domains. One domain was a public sector domain, one was a law firm, three were to chemical companies, but most interestingly the last one was an online gambling company. All are UK based companies. The email attacks appear to have originated from Greece. We can't see this being used as a botnet.
When executed the "Times Reader Plugin.exe" uses iexplore.exe to send encrypted data which resolves to an IP address in Denmark which looks like a computer on a home network. It doesn't display anything when you run the exe, so the victim wouldn't know they have been infected. The only indication is an iexplore.exe process running when there is no IE browser session...

Paul Wood | 23 Feb 2010 | 0 comments

By Manoj Venugopalan, Malware Analyst, Symantec Hosted Services

Brazil is the biggest country in Latin America with a population of over 198.7m people, 34% of whom are connected to the internet. It is also a country with a low GDP per capita ratio and higher rates of criminality, especially relating to cyber crime.  With tens of millions of users already using online banking services in Brazil, cyber criminals find Internet banking an attractive target, particularly in the application of banking Trojans used to bypass two-factor authentication systems and other security countermeasures.

MessageLabs Intelligence has seen many Banker Trojan attacks in the past, however, more recently, I came across two different banks that were being targeted by one single attacker: Bradesco and Sicredi. MessageLabs Intelligence had been blocking the Bradesco banking attack some days ago, but then I noticed the Sicredi Bank attack on Saturday 20 February. It was...

MarissaVicario | 22 Feb 2010 | 0 comments

By Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services

Ten years ago, on 14 February 2000, DDoS or distributed denial-of-service attacks – which attempt to cause disruption to an online service or application – knocked a number of high profile websites leaving them offline for several hours, including a well known auction site, the website of a global news channel and an internationally recognized online retail site. Fast forward a decade and DDoS attacks have evolved to be more sophisticated, more prevalent and more dangerous than ever. Most recently, the website of a prominent Russian newspaper was targeted causing major disruption for the publication and its readers. 

Botnets are a key player in DDoS attacks. Right now, we know that the most prominent spam-sending botnets control over five million active PCs.  The actual number of botnets in existence is likely to be much higher as an infected bot only becomes...