Video Screencast Help
Symantec Intelligence
Showing posts in English
Bhaskar Krishna | 22 Aug 2012 | 0 comments

As we are all aware, Adobe released security updates for Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh, and Linux. These security updates address the Adobe Flash Player CVE-2012-1535 Remote Code Execution Vulnerability that could cause the application to crash and potentially allow an attacker to take control of the compromised computer. Adobe has also stated that there are reports of the vulnerability being exploited in the wild in limited targeted attacks distributed through malicious Word documents.
 


 

We have observed these threats since August 10, 2012, and to-date we have successfully blocked more than 1,300 samples. The first sample we saw arrived with the email subject “...

Paul Wood | 07 Aug 2012 | 1 comment

Attacks use Olympics as bait for spam, malware and phishing attacks; the state of Web attack toolkits in 2012

The Olympics is one of those rare occasions where the entire world comes together, setting aside various differences for the competition. The Games are a chance for each country to put their best foot forward and demonstrate their athletic skill and prowess. No doubt this spirit of goodwill generates a significant amount of excitement for athletes and spectators alike when it comes around every four years.

Unfortunately, it’s exactly this goodwill that attackers are attempting to prey upon. In this month’s Symantec Intelligence Report, we take a look at how attackers are using Olympic themed hashtags on Twitter to spread malicious code, bundling threats with popular Olympic-themed Android apps, and creating spam and phishing scams that pretend to be contests sponsored by credit card companies—all in the hopes...

Paul Wood | 11 Jul 2012 | 0 comments

A second look at Flamer, targeted attacks in the first half of 2012, and how attackers attempt targeted attacks

This month we conclude our findings on the recent W32.Flamer threat. We show how there is a connection to Stuxnet and Duqu, discuss what we know about who may have created the threat, and highlight more information about what the threat can do.

We also take another look at targeted attacks in general to see what has changed since we last analyzed them in detail. We show how attacks have increased in the first half of 2012, what sectors are being targeted, and how there has been a shift in the size of companies that are being targeted.

Finally, we look in-depth at an attempted targeted attack recently carried out against a company in the aerospace industry. Breaking the attack down, we look at how the attackers attempt to entice employees in the company into launching malicious code that would give them access to the company...

Paul Wood | 07 Jun 2012 | 0 comments

For years attackers have focused on Windows PCs because of three things: they were simple to exploit, they were everywhere, and the return on investment was lucrative for the thieves. What we’re witnessing now is a shift in attention from attackers. As our computing lives have moved from the once largely exclusive Windows PC world, so too have the attackers moved, hoping to continue to exploit us.

In this month’s Symantec Intelligence Report we take a closer look at this trend, exploring some of the threats outside the sphere of the Windows world. We also take a look at some recent phishing scams preying upon the buildup to the London Olympics, free online storage space, and fake Apple discounts.

In many ways the May Report picks up where volume 17 of the Internet Security Threat Report (ISTR) left off. In particular the ISTR pointed...

Nick Johnston | 18 May 2012 | 1 comment

Today sees the highly-anticipated IPO (Initial Public Offering) of the social-networking site Facebook. The IPO is expected to be several times oversubscribed as the demand for shares greatly exceeds the number of shares being issued.

The high-profile nature of this IPO has not escaped the attention of the “419” or the “advance fee fraud” scammers. As a brief reminder, these scams typically promise vast sums of money in exchange for assistance. However, before said sums of money can be received, several increasingly-inventive up-front charges and fees must be paid. The fees keep coming and the promised money never materializes.

We recently spotted a 419 scam message offering a "FACEBOOK (IPO) SUBSCRIPTION PARTNERSHIP PROPOSAL". The use of an all uppercase heading is a common hallmark of such 419 scams.

The scam claims to be sent from a finance firm with offices in multiple locations around the world. The exact nature of the...

Nick Johnston | 08 Mar 2012 | 2 comments

Recently we noticed spammers abusing Dropbox, a popular cloud-based, file-hosting and synchronization tool, to spread spam.

Dropbox accounts have a public folder where files can be placed and made publicly available. This function is useful to spammers, as it effectively turns Dropbox into a free hosting site. Spammers have abused URL shortening and free hosting sites for some time. Dropbox also provides a URL shortening service, which spammers have also abused.

Spammers have created several Dropbox accounts, uploading an image and a simple .html file and then using the image to link to a pharmaceutical site.

 

Following this link takes you to a fairly standard "Canadian Health & Care Mall" site:

 

 

We saw over 1,200 unique Dropbox URLs being used in spam...

Nick Johnston | 25 Jan 2012 | 1 comment

Beginning on New Year's Eve, January 1, 2012 and continuing earlier into the days following, Symantec Intelligence identified spammers taking advantage of the New Year anniversary, seemingly to entice users into clicking on spam links contained in the email messages.

Further investigation revealed that spammers were compromising legitimate Web servers, leaving the main Web site content intact (to avoid or delay detection) and simply adding a simple PHP script, typically named "HappyNewYear.php", "new-year-link.php" or "new-year.link.php". These scripts simply redirect to a spam pharmaceutical Web site.

Analysis of one of the messages we saw using these links makes the spammers' motives clearer, as can be seen in figure 1, below.

 

Figure 1: Example spam email containing New Year reference in spam URL

The message uses social...

Tony Millington | 07 Dec 2011 | 1 comment

With contributions from Manoj Venugopalan, Senior Malware Analyst, Symantec

Introduction
A new day and a new zero day PDF exploit used in a Targeted attack which our Skeptic heuristic engine stopped. This one exploits a vulnerability in the 3D engine in Adobe Reader (CVE-2011-2462 http://www.adobe.com/support/security/advisories/a...) which is often used to display a 3D wire mesh object that you can rotate and view from all angles in real time. An architect might use it to mock up a plan for a building that the customer can view from within the PDF, very cool. However, the more functions you add to your software, the more chance there is to exploit the format.

Details
The targeted attack against Adobe Reader 9.4.6 on Windows was sent in 5 emails...

Paul Wood | 06 Dec 2011 | 1 comment

Global spam is now at the lowest it has been since November 2008, when the rogue ISP McColo was closed-down. The effect on spam volumes back then were very dramatic and spam accounted for 68.0% of global emails. More recently the decline has been much slower, but spammers have also adapted to using more targeted approaches and exploiting social media as alternatives to email. Moreover, pharmaceutical spam is now at the lowest it has been since we started tracking it, accounting for 35.5% of spam, compared with 64.2% at the end of 2010.

With targeted attacks and advanced persistent threats being very much in the news this year, we thought it would be a good time as the end of the year draws closer to begin our review of targeted attacks and look more closely at what has been described as “advanced persistent threats” or APTs for short. Terms such as APT have been overused and sometimes misused by the media, but APTs are a real threat to some companies and...

Paul Wood | 30 Nov 2011 | 0 comments

A wise man once said, “Whoever wishes to foresee the future must consult the past; for human events ever resemble those of preceding times.” (Machiavelli). Thus, looking back at the major cyber security trends of 2011 helps us gain perspective on what we can expect in the future. So, how would you describe the past year in cyber security and what trends do you think will continue to grow in 2012? A few thoughts come to my mind.

First, perhaps 2011 will be remembered as the year we saw the foundation laid for the successor of the infamous Stuxnet. Another thought is that 2011 will go down in history as the year of the mobile threat; after all the mobile malware movement finally began in earnest. Finally, maybe we’ll look back on 2011 as the year of targeted attacks; with a concerning number of compromised legitimate digital certificates involved.

We think these key themes from 2011 will continue to grow throughout 2012. Here’s a bit deeper look...