Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Symantec Intelligence

Showing posts in English
Olivia Borsje | 13 Oct 2011 | 0 comments

In the last week or so, erroneous statements about Symantec Enterprise Vault.cloud have popped up on a few social media sites. The statements claim that Symantec Enterprise Vault.cloud is not a “true” cloud solution and is merely an example of the negative “cloud labeling trend.”

We just want to take a minute to address a few of the factual inaccuracies with these statements and set the record straight.

Erroneous Statement #1:

As an established software vendor Symantec provides over 30,000 customers an on-premise archiving solution using Enterprise Vault.

Symantec.cloud, formerly Message Labs, has worked in the cloud space for more than 11 years and is the biggest provider of email, web and Instant Messaging security services in the cloud.

Erroneous Statement #2:

Competition within the cloud archiving market is significantly...

| 29 Sep 2011 | 0 comments

It’s no secret that the proliferation of mobile devices in the workplace has added to the ongoing struggle between employees who want to use their mobile devices to access corporate data and the IT departments working to secure and control all of their business endpoints.

Employees demand access to corporate networks and data wherever they are with whichever device they’re using. At the same time, companies trying to keep up with that demand are under increasing pressure to comply with regulatory requirements, which in turn creates a challenge for IT departments to find ways to secure and manage mobile workers without interfering with how they get their jobs done.

To get a closer look at this challenge, Symantec partnered with IDG Research Services to sponsor a survey of IT security professionals at 115 organizations exploring the security and compliance risks associated with a growing mobile workforce.

There is no shortage of IT pros that believe...

Bhaskar Krishna | 27 Sep 2011 | 1 comment

Some of the newest printers have scan-to-email ability, a feature that allows users to email scanned documents to a specified email address on demand. Symantec Intelligence has identified malware authors using social engineering tactics that take advantage of this, sending executables in a compressed “.zip” archive via email. The attachment contains an executable disguised as a scanned document from a printer, as shown in the example in figure 1, below.
 

Figure 1: Example of malicious email masquerading as a scanned document sent from an office printer

In each case the sender domain was spoofed to match the recipient domain, sometimes appearing as though forwarded to the recipient by a colleague at the same organization, implying that this email originated internally.
To be clear, office printers and scanners will not send malware-laden...

Nick Johnston | 27 Sep 2011 | 0 comments

In the Symantec Intelligence blog we've covered how spammers like to conceal their actual spam sites through elaborate chains of redirects, often involving hacked or compromised sites, URL shortening sites, obfuscation techniques, or combinations of all of these.

We've recently seen spammers exploiting a vulnerability in WordPress, the popular open-source blogging software running on thousands of servers worldwide. Spammers are using the WordPress platform to compromise a Web server, placing a file deep within the WordPress directory structure, presumably in an attempt to avoid (or at least delay) detection. The buried file is a simple HTML page, usually containing text like "Page loading" which is briefly shown before a HTTP “meta refresh” is used to redirect users to the spammer's "Canadian Health&Care Mall" Web site, as shown in figure 1:

<meta http-equiv="refresh" content="0; url=http://[new...
Paul Wood | 19 Sep 2011 | 0 comments

The word ‘Nimda’ may not be the most well remembered in the cyber-crime hall of fame but as malicious worm outbreaks go, Nimda certainly contributed to the malware landscape and was able to cause havoc on 18 September, 10 years ago in 2001.

Long before cloud based security services were the norm and virus scanning was only performed once a week, the Nimda worm was effectively unleashed onto the global computer network exactly a week after the 9/11 atrocities. Because of this timing, some media quickly began speculating a link between the worm and Al Qaeda, although this rumour was quickly quashed by the FBI, but it did highlight the fact that cyber warfare can be a real threat carefully orchestrated by sophisticated cyber gangs or even terrorists and not script kiddies tucked away in dormitories.

The Nimda worm came hot on the heels of the “Code Red” scare in August 2001, when a variant of the original worm infected more than 250,000 machines...

Nick Johnston | 08 Sep 2011 | 0 comments

As we've covered extensively on the Symantec Intelligence blog in the past, 419 or advance fee fraud scammers are highly skilled at using current events to their advantage. Recently we have seen scams taking advantage of unrest in Libya, the devastating March 2011 earthquake in Japan, and other events.

419 or advance fee fraud works by promising the recipient a vast sum of money, but before any money is paid, various (and increasingly inventive) up-front fees are demanded until the victim realises they've been duped, and give up. The promised vast sums of money never materialise.

This scam claims that the recipient has been awarded $2.5m in a lottery connected with the 2011 Rugby World Cup:

Of course, the lottery is fake. There is no lottery for the tournament, and this message is simply a scam.

The tournament starts Friday 9, September in New Zealand, so interest and...

Nick Johnston | 05 Sep 2011 | 0 comments

In February this year the Symantec Intelligence Blog covered how 419 or advance fee fraud scammers were using the unrest in Libya to their advantage. As we've extensively covered in the past on the blog, 419 scammers are skilled at using current events to their advantage. For example, scammers have taken advantage of the devastating March 2011 earthquake in Japan as well as other natural disasters and other current events.

The scam message we found in February claimed to be written by someone connected to Libya's Senussi crown, which was overthrown by Muammar al-Gaddafi in his 1969 coup d'état. Since then, we have seen several more messages, exploiting the unrest in different ways, but still following the general 419 or advance fee fraud pattern of demanding endless upfront fees from victims, with vast promised payouts never materialising.

One scam, where the scammer pleads "please read this carefully", claims to be sent by a wealthy...

Bhaskar Krishna | 10 Aug 2011 | 0 comments

Posted on behalf of Bhaskar Krishnappa

Last week Symantec Intelligence blogged about the new tactics applied by Bredolab, especially the start-code obfuscation and hack pack approach.

The past 24 hours of our e-mail scanning engine and monitoring tools have reported a huge run of Bredolab malware. The most interesting part of this blog is our scanners have seen two different samples (Md5sum: f8527fc91329e282c261331303dbaa82 and Md5: ea9ad01c0e8d58c3a5cd8666568201f4), run in different subjects and names to sneak through the mail scanning engines and spam signatures.

We do have interesting stats showing subject v/s the count and attachment names used by attackers to compose the mail pretending to be arriving from well known parcel services and money transfer services.

We have seen more than 300 copies of the sample (Md5sum: f8527fc91329e282c261331303dbaa82) which is...

Lee_Rothman | 09 Aug 2011 | 0 comments

A good service level agreement (SLA) can be an effective tool for helping SaaS providers and customers manage expectations, clarify responsibilities, and objectively assess service effectiveness. If well-defined, an SLA will clearly identify the performance metrics and expectations that guarantee the service.  In some cases, SLAs may offer vague metrics, loose definitions and incomplete information that can be open to misinterpretation.

As you consider your technology investment, keep these important considerations in mind: 

  • Put it on the wish list – Many organizations purchase technology without considering an SLA or they make it an afterthought. Make sure SLAs are included as part of your search for the right solution and are discussed up front during the decision-making process. The SLA may just be among the differentiators.
     
  • ...
| 03 Aug 2011 | 1 comment

Posted on behalf of Bhaskar Krishnappa

Symantec has blogged about the Bredolab malware in the past and its method of infection with the goal of creating awareness in innocent users. Apart from blogs Symantec has also published a research paper explaining how the malware works, why it’s so widespread and the motivations behind it.

This post focuses on why this threat is still a challenge for AV vendors to comprehensively detect.

What does Bredolab bring in?

The latest Bredolab samples are downloading and installing rogue security products on victim’s machines for financial gains as shown below in step: 1 and step: 2...