Emerging Threats
Security Intel ...
|
November 21st, 2009
A new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well. The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future. When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.
The exploit targets a vulnerability in the way Internet Explorer uses cascading style sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites’ content. Symantec currently detects the exploit with the Bloodhound.Exploit.129 antivirus signature and is...
Emerging Threats, Security, Security Response, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Erik_Goldoff
|
November 20th, 2009
without having to constantly check the website, is there any mechanism to sign up an email address so that I can be notified whenever a new Certified Definition is released ( for SEP 11x in my case )
Thanks
2 comments
Marian Merritt
|
November 20th, 2009
I had the honor recently of moderating a virtual roundtable discussion on the top Internet security trends from 2009 and what we expect to see in the security threat landscape in 2010. Funny thing about security predictions—you hope they won’t come true, but expect them to anyway. The roundtable featured expert panelists Paul Wood (Senior Analyst, MessageLabs Intelligence, Symantec) and Zulfikar Ramzan (Technical Director, Symantec Security Response). They each have unique insights into the world of cybercrime, spam, phishing attacks, and other cyberthreats that plague us all.
We want to give a big thanks to everyone who joined in to listen to our experts, and we hope you found it interesting. For those of you who couldn’t make it, please take a few minutes to listen to the podcast of the actual roundtable.
You can read more about Symantec’s top trends from 2009 and our predictions for 2010 by clicking on the following links:
Breadth of Security...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Paul Wood
|
November 19th, 2009
This post is made on behalf of my colleague Mat Nisbet, Malware Analyst for Symantec Hosted Services.
As of November 18, we have noticed a huge jump in the number of spam e-mails that contain a link to Twitter. Normally there is a tiny fraction of a percent, but on November 18 it jumped to 4 percent of all spam. This new surge is entirely from the DonBot botnet.
The apparent aim of these e-mails is to get people to fall for “get rich by working at home” schemes where the victim is encouraged to pay an initial fee for a trial and then sit back and watch the cash come in. Though easily stopped by us, this new run of spam uses a number of techniques to attempt to get past basic filters. Firstly, the body of the e-mail is simply an image (of a fake newspaper article), to try and get past text-based signatures.
Second, the image itself is a link to a Twitter account, an attempt to get past link signatures as Twitter is a legitimate site that couldn’t be stopped...
Emerging Threats, MessageLabs Intelligence, Security, Evolution of Security, Spam, Hosted Mail Security
0 comments
jomargonzales
|
November 18th, 2009
Symantec must develop virus signatures that recovers the original registry stored in PC. Almost all of threats changed registry which is very tedious to IT personnel to restore the original registry setup.
11.x, Emerging Threats, Security, Basics, Malicious Code, Security Risks, Features, Performance, Endpoint Protection (AntiVirus), Tip/How to
0 comments
Eric Chien
|
November 18th, 2009
Zeus is a botnet package that allows for the easy creation and command and control of a botnet. We've discussed Zeus previously in Zeus, King of the Underground Crimeware Toolkits. The main purpose of Zeus is to steal online credentials such as online banking passwords, but it can be configured to steal passwords from any online site.
Today, the BBC is reporting that police in the UK have arrested two suspects in relation to Zeus. While the details are preliminary, the two likely appear to be users of the Zeus botnet package rather than the actual creators, and thus the prevalence and usage of Zeus is likely to continue.
We've created a research paper providing more in-depth information on Zeus, including how the bot is created, what functionality it has, and additional screenshots on the Zeus command and control server. You can find the paper here:
Zeus: King of Bots
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Endpoint Protection (AntiVirus)
0 comments
Paul Wood
|
November 18th, 2009
This week I had the pleasure of sitting on a panel with some of the best and the brightest among my Symantec colleagues to reflect on 2009’s threat landscape and what we anticipate for the year ahead.
We concurred that what we’ve seen this year was ugly. Botnets prevailed and took over as a primary means of spamming and spreading malware and social engineering attacks became more sophisticated. But what we also know is that this year pales in comparison to what 2010 is expected to bring: fast flux botnets will dominate, IM spam will rear its head, rogue security software vendors will up their game, fraud targeted at social networking apps will grow, new CAPTCHA bypass techniques will emerge... to name a few.
That’s the bad news. The good news is that with a bit of preparation and the right security solutions in place, we can continue to outsmart the bad guys. So without further ado, I present to you Symantec’s 2010 Security Predictions.
2010 Security...
Emerging Threats, MessageLabs Intelligence, Security, Evolution of Security, Security Risks, Spam, Hosted Mail Security
1 comments
timbo
|
November 18th, 2009
Hi people,
I'm going to throw a wobbler because I feel this is getting serious now.
I'm currently running SEP MR4.
Yesterday I had a call from a user regarding the Symantec email notification popup.
When I investigated the problem it seemed that the machine had a virus (an email virus).
So I used the SEP client and did a scan which found 'NOTHING', I repeat 'NOTHING.
I felt that there was a virus causing this so I downloaded MalwareBytes Antispyware software and installed it.
I couldn’t believe it, it found a mixture of 15 virus's and spyware of which NONE were picked up using the SEP Client.
Only when the MalwareBytes engine started to disinfect the files the Symantec client detected there was a problem and flagged the file.
Now I'm no brain surgeon but I’m sure that antivirus is supposed to catch the virus BEFORE it gets installed or at least warns you. Does this not apply to SEP?.
What I suggest to all of you out there is to check your machines because this isn’...
14 comments
MarissaVicario
|
November 17th, 2009
Posted on behalf of Paul Wood
This week I had the pleasure of sitting on a panel with some of the best and the brightest among my Symantec colleagues to reflect on 2009’s threat landscape and what we anticipate for the year ahead.
We concur that what we’ve seen this year was ugly. Botnets prevailed and took over as a primary means of spamming and spreading malware and social engineering attacks became more sophisticated. But what we also know is that this year pales in comparison to what 2010 is expected to bring: fast flux botnets will dominate, IM spam will rear its head, rogue security software vendors will up their game, fraud targeted at social networking apps will grow, new CAPTCHA bypass techniques will emerge... to name a few.
That’s the bad news. The good news is that with a bit of preparation and the right security solutions in place, we can continue to outsmart the bad guys.
So without further ado, I present to you Symantec’s 2010 Security...
0 comments
Hon Lau
|
November 16th, 2009
When trawling the Web today we came across a website that has been compromised and rigged so that it is returned in search engine results for many different search terms. The site in question belongs to a UK-based company that specializes in hiring out holiday homes and is a legitimate business. However, the site has been compromised and is being used in a major ongoing SEO-based misleading applications attack, and has been for some time now. As you can see in the sample search results below, you may wonder what college football, a Ukraine vs. Greece soccer match, Penn State basketball, and Robin Williams have to do with renting a holiday home—and with good reason, too.
The key to identifying malicious pages in the search results is looking for the string “okps.php” in the URL. If you see that string anywhere in the URL, avoid it like the plague. Your computer and sanity will thank you for that. The interesting thing, according to the search, is that there are over...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Endpoint Protection (AntiVirus)
0 comments
shp
|
November 12th, 2009
I would like to add an idea about online status of the users in Symantec connect.
It will be good to see a status icon(small bubble) beside user virtual face(avatar) like Green for online orange for inactive etc....
It will be easy for us to know the person availability and do PM.
11.x, Emerging Threats, Security, 10.x, Evolution of Security, 9.x and Earlier, Basics, IT Risk Management, Best Practice, Malicious Code, Security Risks, Configuring, Spam, Features, Installing, Performance, Reporting, Endpoint Protection (AntiVirus), Tip/How to, Upgrade
2 comments
Symantec Securi...
|
November 11th, 2009
The first iPhone worm, known as iPhoneOS.Ikee, recently hit the news everywhere. The purpose of this worm was to show that jailbroken iPhones had a flaw that could be easily exploited. The consequences of this worm were minor since the author decided to simply Rickroll users who became victims of this attack. However, there were many warnings that the publicly released code could easily be altered so that consequences were not so benign.
Given the implications—and this being a hot topic—reports are surfacing about a hacktool that can be used to attack jailbroken iPhones. This tool is taking advantage of the same default SSH password that iPhoneOS.Ikee does, but put plainly, this is not another worm. We’re looking at a hacktool that is installed on an attacking computer, not on the iPhone. It allows an attacker to scan a network and then attempt to log in to devices using the iPhone’s default SSH password. If it finds a jailbroken iPhone with the default...
0 comments
Naor Penso
|
November 11th, 2009
Today,
you can define how much the anti-virus gets inside a zip file (up to X times). but if the zip is inside a larger amount of zip's then the anti-virus transfers it like is OK,
and it could be malicious (refer to en.wikipedia.org/wiki/Zip_bomb for example).
I want to be alerted when a file is zipped for more then X times (could be 10 could be 100) and I want to be able to block zip files that are zipped for more then X times.
Its a serious threat that isn't dealt by any Security company.
It could also refer to Vontu DLP with its file scanning engine (it could be a way to extract confidential data outside the organization)
It could also refer to Bright Mail when it receives malicious mails.
Hope to see it soon.
Thanks.
11.x, Emerging Threats, Security, Features, Brightmail Gateway, Data Loss Prevention (Vontu), Endpoint Protection (AntiVirus), Endpoint Protection Small Business
1 comments
Nicolas Falliere
|
November 10th, 2009
Trojan.Clampi is an interesting threat, which we described in many blog entries over the past month. We’ve now compiled these entries, along with some new material, into a research paper—Inside the Jaws of Trojan.Clampi.
In a nutshell, Clampi is an Infostealer threat. Its executable can be seen as a host for separate modules, containing the real payloads of the threat. These modules are heavily protected from reverse-engineering as well. The functionalities range from banking-site password stealing, to local credential gathering, to a SOCKS proxy. The communication with Clampi’s command & control servers, the “Gates”, uses HTTP and is encrypted. Clampi spawns and uses an Internet Explorer instance as an API proxy to achieve network communication, bypassing firewalls along the way.
One thing we mentioned in passing in the blog entries is that the main executable and the modules are protected from reverse-engineering by VMProtect, a commercial packer...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Endpoint Protection (AntiVirus)
0 comments
Bijay.Swain
|
November 9th, 2009
there is a virus which symantec is not detecting but I know the filename and location of the file which is same on all infected computers.
Now I want to quarentine that file which i can do by adding the file to quarentine manually on the client but can i create a policy on my sepm console so that all clients will quarentine that file at once so that the virus can't damage our network any more.
Emerging Threats, Security, Basics, IT Risk Management, Best Practice, Malicious Code, Security Risks, Configuring, Features, Performance, Endpoint Protection (AntiVirus), Tip/How to
3 comments
Symantec Securi...
|
November 9th, 2009
On the heels of a similar iPhone attack by a Dutch teenager, an Australian hacker (using the same technique) has written the first iPhone worm for jailbroken iPhones. The worm has been dubbed “Ikee” and uses the default SSH password of jailbroken iPhones to log in and spread. Please note that this worm does not impact iPhones that have not been jailbroken.
Many users who have jailbroken their iPhones in order to customize them have not changed their SSH password, allowing others to log in to their phone. In the case of Ikee, the worm scans random IP ranges and also specifically targets Optus, Vodafone, and Telstra's IP ranges, which are the common telephony providers in Australia. Once a vulnerable iPhone is found, the worm changes the wallpaper to a picture of Rick Astley (a prank known as Rickrolling), deletes the SSH daemon, and begins scanning the network for other vulnerable phones. Note that some of these telephony networks use NAT (network address translation)...
0 comments
Day7Theory
|
November 6th, 2009
it reads "Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer" ive done a few tracert reports and didnt see any alarm there. I am also on a wireless network and my question is could this be the network im on "bridging" trying to find my IP address causing the Message above? and should this be any concern for alarm?
Emerging Threats, Security, 10.x, Internet Security Threat Report, Security Risks, Reporting, Endpoint Protection (AntiVirus)
4 comments
Peter Coogan
|
November 4th, 2009
The Fragus exploit pack showed up on our radar a few months ago and has been steadily growing to become one of the most prevalent exploit packs being seen in the wild today by Symantec. It is similar to other popular exploit packs available—such as Unique, YES, Eleonore, and Liberty—but it brings some new and interesting features with it. Exploit packages are generally designed as a means to allow attackers to group and serve exploits from their website against the browsers of unsuspecting visitors. It is done in a nice GUI form, hosted on a Web server, and allows the attacker to generally choose which exploits to run. Once exploited, a final payload is served to the system. All of this is dished up in a control panel with some nice statistics on how successful the campaign has been.
Figure 1.
The authors of Fragus stick to this formula, but in addition have employed the use of a legitimate software protection tool known as ionCube PHP Encoder to protect...
0 comments
Bijay.Swain
|
November 4th, 2009
Proactive threat Protection Needs more improvments as it is doing almost nothing. It should detect on behaviour of a file.Currently symantec is only depending upon signatures. Now irus writers are easily corrupting SEP and it can't even save itself.
SEP is failing to save itself also. A small program enters and easily destroys sep in a system. symantec should include some technology to protect all its files which are created during installation.
Emerging Threats, Security, Evolution of Security, Basics, IT Risk Management, Best Practice, Malicious Code, Security Risks, Configuring, Spam, Features, Installing, Performance, Reporting, Endpoint Protection (AntiVirus), Tip/How to, Upgrade
0 comments
Ben Nahorney
|
November 3rd, 2009
Threats targeting the Macintosh platform are much less common than those targeting Windows. The same can be said about video games, where Windows is the dominate platform of the two. Combining games and malware has happened before, but a Mac game performing malicious activities? That’s something relatively new.
Takashi Katsuki, one of our Tokyo engineers, came across just that today. The game looks to be a throw-back to the classic Space Invaders/Galaga style of games from the early 1980s. However, what brings this game into the realm of malicious code is that for every alien ship you destroy, the game deletes a file from your home directory.
What’s interesting is that the author of this “game” flat-out says what it does on his Web site. Reading through the author’s description, it seems that he has created this game/threat as some sort of artistic project. The aliens are your files and there are consequences for “killing” them. However...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Endpoint Protection (AntiVirus)
0 comments
Anshuman
|
November 1st, 2009
I was not able to get information on below idea, I am sorry if someone has already put up this idea.
There are several types of intrusion events that happen in a network. Most of the times an administrator is willing to receive e-mail alerts for only major IPS events (major IPS events like RPC/SQL Slammer). We were looking if e-mail alerts for specific signatures could be enabled but SEPM doesn’t support configuring alerts only for specific signatures. The alerts for all IPS events can be either enabled or disable. No customization is available in this area
It would be great if we can have a feasibility to get alerts for specific IPS events.
Also following options in e-mail alerts would help -
1. A threshold setting for alerts. Threshold setting would have options like (specific number of alerts for specific IPS events in last 24 hrs.)
2. E-mail alerts should also have a web link at the bottom of the mail which will direct the administrator directly to the...
11.x, Emerging Threats, Security, Basics, Security Risks, Configuring, Features, Endpoint Protection (AntiVirus)
0 comments
Andrea Lelli
|
October 31st, 2009
Sure we have heard a lot about bots and botnets. One key component of a botnet is the command-and-control (C&C) server, which as we know can come in several flavours (IRC, Web pages, newsgroups, custom servers, etc.). Yet, here comes Trojan.Whitewell, which, being tired of old C&C channels, decides to pick up Facebook as a coordinator for the C&C server. I use the word “coordinator” because the Trojan only receives some configuration data from its Facebook account—the actual command execution and data reporting is done through a third party Web server.
The Trojan was sent through a popular malware distribution channel that is also related to other prevalent threats such as Trojan.Bredolab. The distribution technique is pretty simple: they send documents (PDF, or MS Office formats) containing exploits for known vulnerabilities. These documents usually mimic legitimate names, such as well known courier companies; or they plagiarize topics regarding the...
0 comments
AmandaCF
|
October 30th, 2009
I have continue to receive the blue screen crash every time I start my computer. After installing Norton 360, about 7 months later I began having the blue screen crash. Is it possible that my Norton product is causing that? Also, around the same time period before the crash, I have installed windows security updates and Internet explorer 8 update. Is it possible that these things are causing this problem? I have attatched a detail description that I got from the blue screen crash.
If anyone has an answer to this or a solution, please let me know. Also, if you are replying back, please tell the the information in simplest form, I sometimes do not understand all of this computer stuff.
1 comments
mgrajendra.mgr
|
October 30th, 2009
We have SEPM MR4 MP1 in our office. This console is not dupdating from 14 oct 2009. Wnen i tried it update giving error "replication issues Symantec Connect"
11.x, Emerging Threats, Security, Evolution of Security, Basics, IT Risk Management, Best Practice, Malicious Code, Security Risks, Configuring, Spam, Features, Installing, Performance, Reporting, Endpoint Protection (AntiVirus), Tip/How to, Upgrade
2 comments
Shunichi Imano
|
October 29th, 2009
Symantec Security Response has become aware of a Trojan Horse we detect as Trojan.Ramvicrype. The Trojan uses the RC4 algorithm to encrypt files on compromised computers, rendering them unusable. Presence of files with a .vicrypt extension is a sure-fire sign of infection.
Trojan.Ramvicrype is a little different from most other Ransomware programs we’ve seen in the past. Typically these kinds of threats display a message prompting users to visit a certain Web page or email a specific address. Users will end up paying the online criminals in exchange for keys that can be used to unlock the computer or decrypt the encrypted files.
Previously posted blogs on the subject of Ransomware can be found at:
The Key(generator) to the SMS Ransomware Threat
SMS Ransomware Threat
In contrast to the above threats, Trojan.Ramvicrype does not make a direct demand for cash in return for keys. How are they making their money here? It turns out that entering the term ‘vicrypt’ into a...
0 comments