August 24, 2010 - Strange stories of celebrities' deaths resulting from plane crashes or car accidents have suddenly erupted in the spam ring. The intention of distributing such false news is to spread viruses using HTML or zipped attachments. This is one more in (continue reading...) Read more
August 19, 2010 - In the past couple of months, Symantec has observed phishing attacks on legitimate automotive sales brands that are based in the UK and the USA. These brands help customers to sell new and used vehicles such as cars, motorbikes, etc. (continue reading...) Read more
August 18, 2010 - It's fairly well known that different types of malware can "kill" security products in various ways. These kinds of malware are known as retroviruses. In order to step things up a notch, some risks are utilizing legitimate software uninstallers (continue reading...) Read more
August 17, 2010 - In a typical 419 scam message, we usually see lottery winning notifications, mentions of next of kin, or fake business offers. Often we observe spammers creating fake stories tying in with disasters or news linked to users' emotions. In a (continue reading...) Read more
August 16, 2010 - Symantec has recently observed phishing websites spoofing courier service brands. There were primarily three brands targeted and fraudsters were attempting to steal customers’ login credentials. So what’s in the login credentials of courier service brands that fraudsters can take advantage of? (continue reading...) Read more
August 16, 2010 - A few days ago we came across an interesting application in the Android Market, which we’ve decided to detect as AndroidOS.Tapsnake. Why are we detecting this? A cursory read through the description doesn’t tell us much, other than it’s (continue reading...) Read more
August 14, 2010 - これまで、ファイル共有アプリケーションを使って他のコンピュータに広がる脅威は多く見られました。一般的に、このような脅威の手口は、侵入したコンピュータをスキャンして、これらのプログラムの共有フォルダを探し、存在する場合はその共有フォルダに、よく使われる検索ワード(人気のある海賊版ソフトウェア、ゲーム、クラックなど)を模倣した名前で自分自身をコピーするというものです。 W32.Changeup は既存のファイル共有アプリケーションをスキャンせず、通常とは異なる動作をします。eMule という有名なアプリケーションを実際にインストールし、そのアプリケーションを使って、ユーザー検索でよく使われる名前を模倣した数万個のファイル名でそのアプリケーションを共有させるのです。次に、もっと詳しく見ていきましょう。 感染 Changeup がコンピュータに侵入する方法はいくつかあります。これまでに、Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (Microsoft Windows でショートカットの LNK/PIF ファイルが自動的に実行される脆弱性)を悪用する方法、リムーバブルドライブやネットワークドライブを介して広がる方法のほか、P2P アプリケーションから知らないうちにダウンロードされる方法が確認されています(W32.Changeup の特徴の詳細については、以前のブログ記事をご覧ください)。通常、コンピュータにはまず非常に小さなサイズの実行可能ファイルが入り込み、この実行可能ファイルから Changeup C&C サーバーに接続して、データ本体(特に、Backdoor.Tidserv、Downloader.Harnig、Trojan.FakeAV などの系列の脅威)を追加ダウンロードします。 共有 データ本体が入り込んでも、ウィンドウは表示されず、脅威が活動している兆候も見られません。しかしプロセスリストを見れば、何が行われているかがわかります。 画像 1: データ本体がインストールされ、eMule がサイレント実行されています。 脅威がサイレントインストールされ、eMule が起動されています。共有中のファイルが格納されているフォルダを見ると、この脅威が何をしようとしているかは一目瞭然です。 (continue reading...) Read more
August 13, 2010 - We have seen many threats that use file-sharing applications in order to spread to other computers. Typically these threats would scan a compromised computer for the shared folders of these programs, and if found would copy themselves into those folders (continue reading...) Read more
August 13, 2010 - Symantec Security Response is currently monitoring a wave of email spam that contains a threat detected by Symantec as Trojan.Zbot. This Trojan arrives as a zip attachment in an email that purports to contain a legitimate attachment, such as (continue reading...) Read more
August 13, 2010 - Following an industry conference, I find it a good practice for me to reflect back on what I learned and observed and see how I can apply it to my current work. At the conference there is so much to (continue reading...) Read more
August 11, 2010 - We all know spammers follow holidays and news events closely, given that spam volumes always increase before upcoming events. In the Chinese culture there are a lot of holidays based on the lunar calendar and various traditions. The most recent (continue reading...) Read more
August 10, 2010 - Hello and welcome to this month’s blog on the Microsoft patch releases. This month’s release is the largest bulletin count since the start of the Patch Tuesday program, and a tie for the largest number of vulnerabilities addressed—the vendor is (continue reading...) Read more
August 9, 2010 - In August 2010, Symantec observed phishing websites spoofing a social networking brand that was linked to the film “High School Musical.” Typically, phishing sites are created to appear identical to the original website so that end users will find it (continue reading...) Read more
August 9, 2010 - In August 2010, Symantec observed a phishing website that targeted Facebook login credentials, which claimed to provide security to Facebook users. The page was not imitating the legitimate Facebook website, but appeared to be an alternate website that provided this (continue reading...) Read more
August 9, 2010 - Last year I wrote a blog entry entitled The Fight Against Malicious PDFs Using the ASCII85Decode Filter, which is about a threat that uses the ASCII85Decode filter to hide itself. Since that time, some Adobe Reader vulnerabilities have been (continue reading...) Read more
August 9, 2010 - Symantec recently observed a phishing website spoofing an e-commerce brand’s live support website. Many legitimate brands make use of this facility, in which customers interact with support representatives by chatting online to resolve any issues with the brand’s products or (continue reading...) Read more
August 9, 2010 - A few months ago, I described the features of W32.Sality in these two blog entries. This well-known virus propagates by infecting Windows executable files. Infected computers also make up a fully decentralized peer-to-peer network, which is used to (continue reading...) Read more
August 6, 2010 - As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can (continue reading...) Read more
August 5, 2010 - July 2010 was the month for phishing attacks on Indian banks. A three percent increase in phishing attacks on Indian banks from the previous month has been observed. In particular, Symantec has observed phishing websites that spoofed the Oriental Bank (continue reading...) Read more
August 5, 2010 - Who would have thought that in 2010 we would have an attack based on—wait for it—sneakernet. The latest high-profile example of this is W32.Stuxnet. In the hoopla over some of the more racier aspects of Stuxnet, this part (continue reading...) Read more