Video Screencast Help
Symantec Intelligence
Showing posts in English
Paul Wood | 11 Jul 2012 | 0 comments

A second look at Flamer, targeted attacks in the first half of 2012, and how attackers attempt targeted attacks

This month we conclude our findings on the recent W32.Flamer threat. We show how there is a connection to Stuxnet and Duqu, discuss what we know about who may have created the threat, and highlight more information about what the threat can do.

We also take another look at targeted attacks in general to see what has changed since we last analyzed them in detail. We show how attacks have increased in the first half of 2012, what sectors are being targeted, and how there has been a shift in the size of companies that are being targeted.

Finally, we look in-depth at an attempted targeted attack recently carried out against a company in the aerospace industry. Breaking the attack down, we look at how the attackers attempt to entice employees in the company into launching malicious code that would give them access to the company...

Paul Wood | 07 Jun 2012 | 0 comments

For years attackers have focused on Windows PCs because of three things: they were simple to exploit, they were everywhere, and the return on investment was lucrative for the thieves. What we’re witnessing now is a shift in attention from attackers. As our computing lives have moved from the once largely exclusive Windows PC world, so too have the attackers moved, hoping to continue to exploit us.

In this month’s Symantec Intelligence Report we take a closer look at this trend, exploring some of the threats outside the sphere of the Windows world. We also take a look at some recent phishing scams preying upon the buildup to the London Olympics, free online storage space, and fake Apple discounts.

In many ways the May Report picks up where volume 17 of the Internet Security Threat Report (ISTR) left off. In particular the ISTR pointed...

Nick Johnston | 18 May 2012 | 1 comment

Today sees the highly-anticipated IPO (Initial Public Offering) of the social-networking site Facebook. The IPO is expected to be several times oversubscribed as the demand for shares greatly exceeds the number of shares being issued.

The high-profile nature of this IPO has not escaped the attention of the “419” or the “advance fee fraud” scammers. As a brief reminder, these scams typically promise vast sums of money in exchange for assistance. However, before said sums of money can be received, several increasingly-inventive up-front charges and fees must be paid. The fees keep coming and the promised money never materializes.

We recently spotted a 419 scam message offering a "FACEBOOK (IPO) SUBSCRIPTION PARTNERSHIP PROPOSAL". The use of an all uppercase heading is a common hallmark of such 419 scams.

The scam claims to be sent from a finance firm with offices in multiple locations around the world. The exact nature of the...

Nick Johnston | 08 Mar 2012 | 2 comments

Recently we noticed spammers abusing Dropbox, a popular cloud-based, file-hosting and synchronization tool, to spread spam.

Dropbox accounts have a public folder where files can be placed and made publicly available. This function is useful to spammers, as it effectively turns Dropbox into a free hosting site. Spammers have abused URL shortening and free hosting sites for some time. Dropbox also provides a URL shortening service, which spammers have also abused.

Spammers have created several Dropbox accounts, uploading an image and a simple .html file and then using the image to link to a pharmaceutical site.

 

Following this link takes you to a fairly standard "Canadian Health & Care Mall" site:

 

 

We saw over 1,200 unique Dropbox URLs being used in spam...

Nick Johnston | 25 Jan 2012 | 1 comment

Beginning on New Year's Eve, January 1, 2012 and continuing earlier into the days following, Symantec Intelligence identified spammers taking advantage of the New Year anniversary, seemingly to entice users into clicking on spam links contained in the email messages.

Further investigation revealed that spammers were compromising legitimate Web servers, leaving the main Web site content intact (to avoid or delay detection) and simply adding a simple PHP script, typically named "HappyNewYear.php", "new-year-link.php" or "new-year.link.php". These scripts simply redirect to a spam pharmaceutical Web site.

Analysis of one of the messages we saw using these links makes the spammers' motives clearer, as can be seen in figure 1, below.

 

Figure 1: Example spam email containing New Year reference in spam URL

The message uses social...

Tony Millington | 07 Dec 2011 | 1 comment

With contributions from Manoj Venugopalan, Senior Malware Analyst, Symantec

Introduction
A new day and a new zero day PDF exploit used in a Targeted attack which our Skeptic heuristic engine stopped. This one exploits a vulnerability in the 3D engine in Adobe Reader (CVE-2011-2462 http://www.adobe.com/support/security/advisories/a...) which is often used to display a 3D wire mesh object that you can rotate and view from all angles in real time. An architect might use it to mock up a plan for a building that the customer can view from within the PDF, very cool. However, the more functions you add to your software, the more chance there is to exploit the format.

Details
The targeted attack against Adobe Reader 9.4.6 on Windows was sent in 5 emails...

Paul Wood | 06 Dec 2011 | 1 comment

Global spam is now at the lowest it has been since November 2008, when the rogue ISP McColo was closed-down. The effect on spam volumes back then were very dramatic and spam accounted for 68.0% of global emails. More recently the decline has been much slower, but spammers have also adapted to using more targeted approaches and exploiting social media as alternatives to email. Moreover, pharmaceutical spam is now at the lowest it has been since we started tracking it, accounting for 35.5% of spam, compared with 64.2% at the end of 2010.

With targeted attacks and advanced persistent threats being very much in the news this year, we thought it would be a good time as the end of the year draws closer to begin our review of targeted attacks and look more closely at what has been described as “advanced persistent threats” or APTs for short. Terms such as APT have been overused and sometimes misused by the media, but APTs are a real threat to some companies and...

Paul Wood | 30 Nov 2011 | 0 comments

A wise man once said, “Whoever wishes to foresee the future must consult the past; for human events ever resemble those of preceding times.” (Machiavelli). Thus, looking back at the major cyber security trends of 2011 helps us gain perspective on what we can expect in the future. So, how would you describe the past year in cyber security and what trends do you think will continue to grow in 2012? A few thoughts come to my mind.

First, perhaps 2011 will be remembered as the year we saw the foundation laid for the successor of the infamous Stuxnet. Another thought is that 2011 will go down in history as the year of the mobile threat; after all the mobile malware movement finally began in earnest. Finally, maybe we’ll look back on 2011 as the year of targeted attacks; with a concerning number of compromised legitimate digital certificates involved.

We think these key themes from 2011 will continue to grow throughout 2012. Here’s a bit deeper look...

ron_poserina | 21 Nov 2011 | 0 comments

Recently ProofPoint posted a blog with a chart detailing some of the differences between Symantec.cloud (formerly MessageLabs) and ProofPoint technologies.  Several of the side-by-side comparisons are inaccurate, so we are posting this blog to address the factual inaccuracies.

In the section entitled “Content filtering of email attachments” a more accurate representation would look like this:

In the section entitled “End User Functionality” a more accurate representation would look like this:

And finally, in the section entitled “Reporting and Log Search” a more accurate representation would look like this:

The section “Phishing detection” inaccurately represents...

| 14 Oct 2011 | 0 comments

Do you know which of these Instant Messaging (IM) scenarios could put a company at risk and which are harmless? Have you (or someone you know) ever…

  • Sent a file over IM to a coworker who needed it ASAP?
  • Clicked on a link sent in IM by a colleague (i.e. “Hey I thought you might like this…”)?
  • Griped to a coworker about how frustrating the day has been?
  • Chatted with an ex-colleague to obtain a client list?

The rise of IM has undeniable benefits for business, but it poses a serious slew of security risks: Worms, Trojans, hackers and spim (IM spam), to name a few.

Symantec has developed a one-to-two minute survey to gauge how employees IM and how their IM habits might lure or detour cyber attacks. 

So, is IM the potential weak link in an organization’s security defense? We’ll keep you posted on what we find out.

We’d love to hear from you. Take our survey here, and...