Malicious Code
metalplane
|
November 21st, 2009
I recently received a virus warning that I am infected with the Pidief.F Trojan. I followed the removal instructions that asked me to remove a number of Registry entries. I could not find any of them, even with the "Find", searching the entire registry file.
I am using XP and System Works 2006. Everything has been updated.
How can I tell what's triggering the warning, and are there variants I should be looking for in the registry?
Security, Malicious Code, Security Risks, Configuring, Tip/How to, Endpoint Protection Small Business
1 comments
Marian Merritt
|
November 20th, 2009
I had the honor recently of moderating a virtual roundtable discussion on the top Internet security trends from 2009 and what we expect to see in the security threat landscape in 2010. Funny thing about security predictions—you hope they won’t come true, but expect them to anyway. The roundtable featured expert panelists Paul Wood (Senior Analyst, MessageLabs Intelligence, Symantec) and Zulfikar Ramzan (Technical Director, Symantec Security Response). They each have unique insights into the world of cybercrime, spam, phishing attacks, and other cyberthreats that plague us all.
We want to give a big thanks to everyone who joined in to listen to our experts, and we hope you found it interesting. For those of you who couldn’t make it, please take a few minutes to listen to the podcast of the actual roundtable.
You can read more about Symantec’s top trends from 2009 and our predictions for 2010 by clicking on the following links:
Breadth of Security...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Mayur Kulkarni
|
November 19th, 2009
We are monitoring new malicious attacks that look similar to the fake "Microsoft Outlook reconfigure" spam campaign messages we have been observing for the last couple of months. That malicious campaign was followed by attacks on social networking sites, transforming from malicious code attacks into URL-based phishing attacks. These new attacks have similar traits, such as the spoofed “From” headers, which aggressively target and baffle enterprise users, and a subject line that is intended to cause panic (for obvious reasons—have a look at the example image below).
As seen in the message above, the mail attachment is a zipped file named “utility.zip” that extracts an executable detected as Trojan.Dropper by Symantec antivirus. Using HTTP, this threat contacts a known C&C server for Zeus/Zbot in Ukraine. (The Zeus/Zbot family of threats is known to distribute malware using attachments and URLs in spam campaigns.)
These attacks seem to be...
0 comments
jomargonzales
|
November 18th, 2009
Symantec must develop virus signatures that recovers the original registry stored in PC. Almost all of threats changed registry which is very tedious to IT personnel to restore the original registry setup.
11.x, Emerging Threats, Security, Basics, Malicious Code, Security Risks, Features, Performance, Endpoint Protection (AntiVirus), Tip/How to
0 comments
Eric Chien
|
November 18th, 2009
Zeus is a botnet package that allows for the easy creation and command and control of a botnet. We've discussed Zeus previously in Zeus, King of the Underground Crimeware Toolkits. The main purpose of Zeus is to steal online credentials such as online banking passwords, but it can be configured to steal passwords from any online site.
Today, the BBC is reporting that police in the UK have arrested two suspects in relation to Zeus. While the details are preliminary, the two likely appear to be users of the Zeus botnet package rather than the actual creators, and thus the prevalence and usage of Zeus is likely to continue.
We've created a research paper providing more in-depth information on Zeus, including how the bot is created, what functionality it has, and additional screenshots on the Zeus command and control server. You can find the paper here:
Zeus: King of Bots
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Endpoint Protection (AntiVirus)
0 comments
timbo
|
November 18th, 2009
Hi people,
I'm going to throw a wobbler because I feel this is getting serious now.
I'm currently running SEP MR4.
Yesterday I had a call from a user regarding the Symantec email notification popup.
When I investigated the problem it seemed that the machine had a virus (an email virus).
So I used the SEP client and did a scan which found 'NOTHING', I repeat 'NOTHING.
I felt that there was a virus causing this so I downloaded MalwareBytes Antispyware software and installed it.
I couldn’t believe it, it found a mixture of 15 virus's and spyware of which NONE were picked up using the SEP Client.
Only when the MalwareBytes engine started to disinfect the files the Symantec client detected there was a problem and flagged the file.
Now I'm no brain surgeon but I’m sure that antivirus is supposed to catch the virus BEFORE it gets installed or at least warns you. Does this not apply to SEP?.
What I suggest to all of you out there is to check your machines because this isn’...
14 comments
Andy Chow
|
November 17th, 2009
Hi,
Take a look at this link:
http://itknowledgeexchange.techtarget.com/network-technologies/don%E2%80%99t-panic-whenever-you-ip-4-dupaddr-duplicate-address-error-log-in-your-cisco-6500-switches-running-hsrp/
Does anyone has an idea on what kind of malware is this? Has Symantec encountered before this type of malware?
Is there any specific signatures from Symantec that can detect this type of threats?
Thanks in advance.
~Andy Chow
1 comments
Kevin Haley
|
November 17th, 2009
Yes, it’s a cheap trick and not even close to original. But the lesson here is that even obvious social engineering tricks can get people to click on a link. We can’t help ourselves. We love to click. Clicking on links and attachments that are accompanied by just the slightest bit of social engineering appears to be a basic human need. I expect it to show up in a revision of Maslow’s Hierarchy of Human Needs any day now—behind love, but certainly ahead of safety.
I do have a point to all this. Two actually. As we compiled the Security Trends to Watch in 2010, what occurred to me is that the people who most needed to read this information never will. At least not without some social engineering on my part. And since social engineering plays such a prominent role in future trends, it seemed appropriate. So I’ve decided to use this little trick to get people to read the list of trends below. So…
Don’t read this if you think antivirus technology...
11.x, Security, Security Response, 10.x, Evolution of Security, 9.x and Earlier, IT Risk Management, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Kevin Haley
|
November 17th, 2009
The Security Response team has compiled the top security trends of 2009. We pulled data from the Global Intelligence Network and the experiences of the thousands of analysts and security experts at Symantec to come up with the top trends for the year. While none of these trends will be a surprise to anyone even casually following the threat landscape, when compiled and summarized, it is clear that the breadth of security problems in the past year was pretty stunning.
For example:
• Toolkits and threat recycling have made malware easier to create than ever
• Polymorphic technology is being applied to make threats harder to catch
• Botnets, large and small, are used as the foundation of attacks making most attacks complex
• All major news events are used for social engineering
• Major brands are being appropriated by cybercriminals to lure online victims
But, it’s the...
Security, Security Response, Evolution of Security, IT Risk Management, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
MFishman
|
November 17th, 2009
I am getting messages from SAV 10.x saying that a virus was found, but it reports the risk discovered by "Unknown" (not prefixed by Heuristic, etc.).
So who did indeed catch this one?
4 comments
Liam O Murchu
|
November 16th, 2009
Finally, some help with explaining Internet security to my non-geek friends! The Guide to Scary Internet Stuff video series will hopefully make my life a little easier. Explaining the intricacies of Internet security is a challenging task. I often have difficulty explaining to my non-technical friends and relatives why they need to know about risks on the Internet. On top of that, I sometimes discover that my advice has fallen on deaf ears as I inevitably fix their computers after a click on a spam or phishing link, or after they have not run Windows Update or updated their antivirus software in a while.
Although this is not the normal technical type of material that we post here on the Security Response blog, when Dominic Cook from our UK PR team showed me these, I immediately thought they were worth a post. The animations are fun, but most of all I think my friends will understand them, remember some of the advice, and hopefully be safer online after watching them—although...
Security, Security Response, Malicious Code, Online Fraud, Security Risks, Spam, Endpoint Protection (AntiVirus)
0 comments
Hon Lau
|
November 16th, 2009
When trawling the Web today we came across a website that has been compromised and rigged so that it is returned in search engine results for many different search terms. The site in question belongs to a UK-based company that specializes in hiring out holiday homes and is a legitimate business. However, the site has been compromised and is being used in a major ongoing SEO-based misleading applications attack, and has been for some time now. As you can see in the sample search results below, you may wonder what college football, a Ukraine vs. Greece soccer match, Penn State basketball, and Robin Williams have to do with renting a holiday home—and with good reason, too.
The key to identifying malicious pages in the search results is looking for the string “okps.php” in the URL. If you see that string anywhere in the URL, avoid it like the plague. Your computer and sanity will thank you for that. The interesting thing, according to the search, is that there are over...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Endpoint Protection (AntiVirus)
0 comments
shp
|
November 12th, 2009
I would like to add an idea about online status of the users in Symantec connect.
It will be good to see a status icon(small bubble) beside user virtual face(avatar) like Green for online orange for inactive etc....
It will be easy for us to know the person availability and do PM.
11.x, Emerging Threats, Security, 10.x, Evolution of Security, 9.x and Earlier, Basics, IT Risk Management, Best Practice, Malicious Code, Security Risks, Configuring, Spam, Features, Installing, Performance, Reporting, Endpoint Protection (AntiVirus), Tip/How to, Upgrade
2 comments
Symantec Securi...
|
November 11th, 2009
The first iPhone worm, known as iPhoneOS.Ikee, recently hit the news everywhere. The purpose of this worm was to show that jailbroken iPhones had a flaw that could be easily exploited. The consequences of this worm were minor since the author decided to simply Rickroll users who became victims of this attack. However, there were many warnings that the publicly released code could easily be altered so that consequences were not so benign.
Given the implications—and this being a hot topic—reports are surfacing about a hacktool that can be used to attack jailbroken iPhones. This tool is taking advantage of the same default SSH password that iPhoneOS.Ikee does, but put plainly, this is not another worm. We’re looking at a hacktool that is installed on an attacking computer, not on the iPhone. It allows an attacker to scan a network and then attempt to log in to devices using the iPhone’s default SSH password. If it finds a jailbroken iPhone with the default...
0 comments
Vikram Kumar-SA...
|
November 11th, 2009
I have attached the Firewall and Application Control policy Policy to Block Peer to Peer Applications as per this article
.https://www-secure.symantec.com/connect/articles/what-do-p2p-applications-do-and-how-block-peer-peer-applications-p2p-using-symantec-endpoin
Import the Policy from your Symantec Endpoint Protection Manager and Assign it to the groups you want.
Note:Default Template has been taken for both the Policies only addition is the new Firewall rule was added for P2P applications and Block Application from running have been modified for blocking P2P applications.
11.x, Security, IT Risk Management, Best Practice, Malicious Code, Security Risks, Configuring, Endpoint Protection (AntiVirus), Tip/How to
2 comments
Happytohelp
|
November 10th, 2009
Hi,
I get lot of IE POPUP's if the computer is kept Idle for long time. I have run loadpoint checked every thing. Have also submitted some file they came up as clean. There is notting in MS config. I have also removed all the browser helping Object still the same. Tried some other antivirus software still the same.
Please let me if any one have faced this issue or if you know how to fix this.
0 comments
Nicolas Falliere
|
November 10th, 2009
Trojan.Clampi is an interesting threat, which we described in many blog entries over the past month. We’ve now compiled these entries, along with some new material, into a research paper—Inside the Jaws of Trojan.Clampi.
In a nutshell, Clampi is an Infostealer threat. Its executable can be seen as a host for separate modules, containing the real payloads of the threat. These modules are heavily protected from reverse-engineering as well. The functionalities range from banking-site password stealing, to local credential gathering, to a SOCKS proxy. The communication with Clampi’s command & control servers, the “Gates”, uses HTTP and is encrypted. Clampi spawns and uses an Internet Explorer instance as an API proxy to achieve network communication, bypassing firewalls along the way.
One thing we mentioned in passing in the blog entries is that the main executable and the modules are protected from reverse-engineering by VMProtect, a commercial packer...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Endpoint Protection (AntiVirus)
0 comments
Bijay.Swain
|
November 10th, 2009
Who has done a migration from Kaspesky/Trend Micro/McAfee to SEP
Need this Information along with companyinfo.
Security, IT Risk Management, Best Practice, Malicious Code, Security Risks, Configuring, Spam, Features, Installing, Performance, Reporting, Endpoint Protection (AntiVirus), Tip/How to, Upgrade
16 comments
EMachado
|
November 10th, 2009
Hello.
I'm having some problems with infections by the W32.Feberr worm.
It seems that SEP doesn't fully remove this Worm. The removal process on the virus details page only says to update the virus definitions and run a full scan. That doesn't work. It detects the infected files (mostly .tmp files in the user profile temp folder) and move to quarentine.
Some day later there is the virus infections again.
I want to know if there is any other procedure or a removal tool that fully removes this virus.
Thanks for the help.
7 comments
Bijay.Swain
|
November 9th, 2009
there is a virus which symantec is not detecting but I know the filename and location of the file which is same on all infected computers.
Now I want to quarentine that file which i can do by adding the file to quarentine manually on the client but can i create a policy on my sepm console so that all clients will quarentine that file at once so that the virus can't damage our network any more.
Emerging Threats, Security, Basics, IT Risk Management, Best Practice, Malicious Code, Security Risks, Configuring, Features, Performance, Endpoint Protection (AntiVirus), Tip/How to
3 comments
Symantec Securi...
|
November 9th, 2009
On the heels of a similar iPhone attack by a Dutch teenager, an Australian hacker (using the same technique) has written the first iPhone worm for jailbroken iPhones. The worm has been dubbed “Ikee” and uses the default SSH password of jailbroken iPhones to log in and spread. Please note that this worm does not impact iPhones that have not been jailbroken.
Many users who have jailbroken their iPhones in order to customize them have not changed their SSH password, allowing others to log in to their phone. In the case of Ikee, the worm scans random IP ranges and also specifically targets Optus, Vodafone, and Telstra's IP ranges, which are the common telephony providers in Australia. Once a vulnerable iPhone is found, the worm changes the wallpaper to a picture of Rick Astley (a prank known as Rickrolling), deletes the SSH daemon, and begins scanning the network for other vulnerable phones. Note that some of these telephony networks use NAT (network address translation)...
0 comments
PHXX
|
November 9th, 2009
I have one machine on the network that keeps getting detections fro Trojan Horse Viral. (risk type) it keeps finding them in the users lcoalsettings/temp directory, or it creates them their? There seems to be no other information regarding htis virus. As to what Trojan it is or any other info. I do full scans and then delete everythign in the temp directory but it seems to come back next time i do another full scan. (I have turned of system restore and done scans). Is there anyway to find out specifically what Trojan this is or suggestion for removing it?
Symantec Endpoint Protection Small Business Edition, Risk Type - Trojan Horse Viral. c:\Documents and Settings\myuser\Local Settings\Temp\DWHA85A.tmp
1 comments
hrsand
|
November 6th, 2009
All week I've been fighting with a persistant pop up that's been accompanying repeated "Packaged Generic 214" and "Trojan Vundo" blocks by my SEP. I've enabled multiple pop-up blockers, tried Firefox and IE 8, and have scanned numerous times in safe mode, in regular mode, with system restore turned on and turned off (per advice from link at SEP Antivirus Protection Log PDF attached). Anyone else have this experience? Any advice how to resolve? TIA!
9 comments
Peter Coogan
|
November 4th, 2009
The Fragus exploit pack showed up on our radar a few months ago and has been steadily growing to become one of the most prevalent exploit packs being seen in the wild today by Symantec. It is similar to other popular exploit packs available—such as Unique, YES, Eleonore, and Liberty—but it brings some new and interesting features with it. Exploit packages are generally designed as a means to allow attackers to group and serve exploits from their website against the browsers of unsuspecting visitors. It is done in a nice GUI form, hosted on a Web server, and allows the attacker to generally choose which exploits to run. Once exploited, a final payload is served to the system. All of this is dished up in a control panel with some nice statistics on how successful the campaign has been.
Figure 1.
The authors of Fragus stick to this formula, but in addition have employed the use of a legitimate software protection tool known as ionCube PHP Encoder to protect...
0 comments
Bijay.Swain
|
November 4th, 2009
Proactive threat Protection Needs more improvments as it is doing almost nothing. It should detect on behaviour of a file.Currently symantec is only depending upon signatures. Now irus writers are easily corrupting SEP and it can't even save itself.
SEP is failing to save itself also. A small program enters and easily destroys sep in a system. symantec should include some technology to protect all its files which are created during installation.
Emerging Threats, Security, Evolution of Security, Basics, IT Risk Management, Best Practice, Malicious Code, Security Risks, Configuring, Spam, Features, Installing, Performance, Reporting, Endpoint Protection (AntiVirus), Tip/How to, Upgrade
0 comments