Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence
Showing posts in English
Kazumasa Itabashi | 06 Nov 2012 | 0 comments

W32.IRCBot.NG and W32.Phopifas

In a previous blog, my colleague Kevin Savage detailed a social engineering attack that utilized instant messaging applications. While the infection rates of W32.IRCBot.NG and W32.Phopifas have passed their peaks, the modules continue to be updated daily.

The infection routine of these threats has not changed since they were discovered, but the threat authors have added new file-hosting sites to use in order for the threats to be downloaded. W32.IRCBot.NG attempts to steal passwords that are used to log into the file-hosting sites from compromised computers. In addition, some modules are located on the servers of virtual server services and...

Paul Wood | 08 Oct 2012 | 1 comment

In this month’s report, we take a look at an often-overlooked side of malicious code: how attackers administer the Web servers that they use to spread spam and malicious code. We highlight a PHP-based tool in particular that is often used to control and manipulate the configuration of these Web servers.

The tool can run arbitrary PHP code, brute force file transfer and database accounts, and even allows quick access to Web server configuration files so that the attacker can edit them in order to suit their malicious needs. The attacker can easily obfuscate his or her code, making its function less apparent if viewed by the legitimate server admins. We’ve witnessed this tool being used to create spam-related websites and hosting exploit pages to compromise further computers.

We also take a look at a rather interesting Android application that attempts to trick the user into thinking that they can charge their device with nothing but the rays of the sun. The...

Nick Johnston | 21 Sep 2012

Special thanks to Sian John for reporting the scam.

We recently saw some malicious fake antivirus software. Such software often goes by generic names like “Windows Defender” or similar, but this particular software claims to be a Symantec product. An email claims that not only is the recipient infected—all users on the same network are as well. The email uses out-of-date Symantec branding, and links to a malicious application called RemovalTool.exe. Symantec does not produce a tool like this, nor does it email users in this way.

If a user downloads and executes the tool, a dialog box posing as a Java update, appears:

One clue that this is a fake update is that it refers to Sun Microsystems, which developed Java, but was acquired by Oracle several years ago. In addition, the...

Paul Wood | 11 Sep 2012 | 1 comment

A data breach—the accidental or unauthorized release of private information—is a serious issue for an organization these days. The exposure of customer data can lead to a significant loss of a user’s confidence in the organization. Even worse, the organization could find itself in violation of data privacy laws or on the receiving end of a lawsuit created by its users.

We decided to take a look at the current state of data breaches in the August Symantec Intelligence Report, comparing the first eight months of 2012 against the last eight months of 2011. At first glance it appears that attacks are down—while the overall number of breaches stayed about the same, the average number of identities stolen per breach is down by almost half.

However, this can be attributed to a handful of very large data breaches in our 2011 data set...

Symantec Security Response | 10 Sep 2012 | 0 comments

In 2009, we saw the start of high profile attacks by a group using the Hydraq (Aurora) Trojan horse. We've been monitoring the attacking group's activities for the last three years as they've consistently targeted a number of industries. These attackers have used a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs. These attackers are systematic and re-use components of an infrastructure we have termed the "Elderwood Platform". The term "Elderwood" comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy zero-day exploits. The attacking methodology has always used spear phishing emails but we are now seeing an increased adoption of "watering hole" attacks (...

Bhaskar Krishna | 22 Aug 2012 | 0 comments

As we are all aware, Adobe released security updates for Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh, and Linux. These security updates address the Adobe Flash Player CVE-2012-1535 Remote Code Execution Vulnerability that could cause the application to crash and potentially allow an attacker to take control of the compromised computer. Adobe has also stated that there are reports of the vulnerability being exploited in the wild in limited targeted attacks distributed through malicious Word documents.


We have observed these threats since August 10, 2012, and to-date we have successfully blocked more than 1,300 samples. The first sample we saw arrived with the email subject “...

Paul Wood | 07 Aug 2012 | 1 comment

Attacks use Olympics as bait for spam, malware and phishing attacks; the state of Web attack toolkits in 2012

The Olympics is one of those rare occasions where the entire world comes together, setting aside various differences for the competition. The Games are a chance for each country to put their best foot forward and demonstrate their athletic skill and prowess. No doubt this spirit of goodwill generates a significant amount of excitement for athletes and spectators alike when it comes around every four years.

Unfortunately, it’s exactly this goodwill that attackers are attempting to prey upon. In this month’s Symantec Intelligence Report, we take a look at how attackers are using Olympic themed hashtags on Twitter to spread malicious code, bundling threats with popular Olympic-themed Android apps, and creating spam and phishing scams that pretend to be contests sponsored by credit card companies—all in the hopes...

Paul Wood | 11 Jul 2012 | 0 comments

A second look at Flamer, targeted attacks in the first half of 2012, and how attackers attempt targeted attacks

This month we conclude our findings on the recent W32.Flamer threat. We show how there is a connection to Stuxnet and Duqu, discuss what we know about who may have created the threat, and highlight more information about what the threat can do.

We also take another look at targeted attacks in general to see what has changed since we last analyzed them in detail. We show how attacks have increased in the first half of 2012, what sectors are being targeted, and how there has been a shift in the size of companies that are being targeted.

Finally, we look in-depth at an attempted targeted attack recently carried out against a company in the aerospace industry. Breaking the attack down, we look at how the attackers attempt to entice employees in the company into launching malicious code that would give them access to the company...

Paul Wood | 07 Jun 2012 | 0 comments

For years attackers have focused on Windows PCs because of three things: they were simple to exploit, they were everywhere, and the return on investment was lucrative for the thieves. What we’re witnessing now is a shift in attention from attackers. As our computing lives have moved from the once largely exclusive Windows PC world, so too have the attackers moved, hoping to continue to exploit us.

In this month’s Symantec Intelligence Report we take a closer look at this trend, exploring some of the threats outside the sphere of the Windows world. We also take a look at some recent phishing scams preying upon the buildup to the London Olympics, free online storage space, and fake Apple discounts.

In many ways the May Report picks up where volume 17 of the Internet Security Threat Report (ISTR) left off. In particular the ISTR pointed...

Nick Johnston | 18 May 2012 | 1 comment

Today sees the highly-anticipated IPO (Initial Public Offering) of the social-networking site Facebook. The IPO is expected to be several times oversubscribed as the demand for shares greatly exceeds the number of shares being issued.

The high-profile nature of this IPO has not escaped the attention of the “419” or the “advance fee fraud” scammers. As a brief reminder, these scams typically promise vast sums of money in exchange for assistance. However, before said sums of money can be received, several increasingly-inventive up-front charges and fees must be paid. The fees keep coming and the promised money never materializes.

We recently spotted a 419 scam message offering a "FACEBOOK (IPO) SUBSCRIPTION PARTNERSHIP PROPOSAL". The use of an all uppercase heading is a common hallmark of such 419 scams.

The scam claims to be sent from a finance firm with offices in multiple locations around the world. The exact nature of the...