Super, SMShing, great!

phishingDo you know what  ‘SMShing’ is? In all probability you will not, but it something that could enter into the main stream vocabularly soon. It stands for, ‘SMS phishing’ and occurs when you receive an SMS message that is purportedly from a reputable source, such as your bank, asking for personal details. It has been around for some time, but thankfully, has not yet caught on to anywhere near the extent of its cousin, phishing.  The scam follows the approach of your bank, supposedly, urgently contacting you via SMS and you are given a telephone number to contact them. When you call the number you will get a recorded message, asking you for details such as your debit card number, PIN code etc. Once you enter those details, the message thanks you and you are then disconnected.

Colleagues at Symantec Security Response have written up a very interesting anatomy of a smashing attack and have also posted an audio file of a real smashing attempt – please follow this link to it.  As they say, to be forewarned is to be forearmed.

July 27, 2009 | Filed Under Security | Leave a Comment 

Koobface continues to mutate in the search for dollars

wormWe have detected, yet another variant of the Koobface worm.  This variant, detected as W32.Koobface.C, installs the misleading application detected as AntiVirus2008, and is propagating on Twitter.

Now, this worm is not new, since it was discovered last year in August 2008, but it has come back again to spread on Twitter.  Response analysis and investigation into this attack has confirmed that this new version of Koobface contains functionality to search for users who have Twitter accounts. If Koobface finds a suitable user (by searching for Twitter cookies), then it will contact a command and control server which will then send down a version of Koobface which contains functionality to log into Twitter and add a tweet to the victim’s account. We also believe that it looks for cookies for other social networking sites.

When the user clicks the link, they are redirected to a fake video web site, then asks the user to download a codec to watch the video.  This codec is a copy of W32.Koobface.A. and this then downloads the misleading application detected as AntiVirus2008. So, at the end of the day, the guys that are peddling this attack are trying to see if they can make money on the back of it.

What you can do to protect yourself is careful what you click on – we advise Twitter users to avoid clicking URLs on tweets, especially if the tweet advertises a home video. Additionally, arm yourself with strong and updated security software to catch and prevent malware from downloading.

July 15, 2009 | Filed Under Security | Leave a Comment 

The birth of the ‘zombie’ phone?

smsSymantec security response have noted and written on a SMS based worm that promises the recipient ‘sexy’ pictures. The malware is  a variant of a threat originally identified as SymbOS.Exy. The threat works hard to stealth itself onto the ‘phone, and as such, has also a number of defence mechanisms to ensure that the threat continues to run.

The original SymbOS.Exy, was for the most part targeting mobile phone users in China. The new variant of the threat is now also being distributed in English. What this threat currently does is gather  information from the ‘phone and send it to predetermined addresses in addition to spamming other phones via SMS. Given the ability of the threat to propagate effectively and also for it to ‘dial home’ for further instructions, it has led to some speculation as to whether this lays the foundation for the birth of the SMS Botnet?

July 13, 2009 | Filed Under Security | Leave a Comment 

Let the games begin!

london_2012As I flew back into London the other evening, from the window of the ‘plane, to my surprise and delight, I could see the outline of Olympic stadium. Preparations seem to be well in hand and on track, which is good news. ‘The Guardian’ also points out that preparations are also underway in the virtual world as criminal networks and cyber-criminals look to see how they can exploit the London games. The Olympics in Beijing clearly showed just how a global event, like the Olympics, can be alluring and lucrative to the cyber-criminal fraternity.

The UK law enforcement agencies are also turning their attention to this, with the Metropolitan police already having established a specialist team to examine the threat of electronic and internet attacks on the 2012 Olympic games. It would also appear that they have detected some ‘precursor’ activity, with companies being set up in what they believe are false names in anticipation of fraud and other types of criminal activity during the run-up to the Olympics.

July 13, 2009 | Filed Under Events, Security | Leave a Comment 

A month of insights?

A group of security researchers have declared, that they will use the month of July to list, or is that ‘out’, security holes in Twitter. They justify it as an attempt to get Twitter to move more quickly to improve security. To be fair to Twitter, they do recognize the issue and have been active in closing any ‘holes’. At the same time, they as trying to  hire into the company security developers, if postings on recruitment sites are to be believed.

When they created Twitter, I am far from sure that the founders could have predicted just how quickly and widely it would be used and adopted. It is therefore hard to foresee security issues given this context. The month of bugs is effective in bringing focus and coverage to the issue. As to whether it makes the application safer, this will depend on how quickly and effectively the ‘holes’ are attended to. Importantly, in the medium term we need to see how it influences the development and testing of future applications.

In the meantime, what does this mean for us as users of the service? Well, firstly it does remind us that we do need to be mindful of security. The bad guys follow the crowds and they are flocking to micro-blogging sites like Twitter. You need to ensure that your security product is updated (we are releasing a steady stream of definitions and updates that help mitigate the ‘holes’. Install Windows and other updates from the key application software providers. And be careful of the links sent to you in Twitter. The short-form URL’s bring with them convenience, but they can be equally convenient for the bad guys.

July 7, 2009 | Filed Under Security | Leave a Comment 

What Malware can teach Spam

spamThe world of spam shows an ‘ebb and flow’ pattern. New techniques to evade spam filters arrive, drive an increase in spam, the anti-spam tools react to it and the level and effectiveness falls back to a ‘normal’. Google have been commenting that, maybe, the spammers are running out of new and original ideas. The second quarter of 2009 saw a substantial 53 per cent increase in average spam levels from the first quarter. However, Google said in a blog post that many of the new attacks were simple rehashes of attacks that occurred in the past.

We ourselves have noticed in the past few months the reemergence of some old tactics, notably image spam. There is nothing revelatory in the application of old techniques and their refurbishment and use in a new context. This is an area wherein spam and malware show similarities. In the world  of malware, if an attack found itself to be successful, we would see it being reused or adapted to extend its usefulness. The ‘Storm’ trojan being a good recent example of this. Every other month, it seemed that there was a ‘new’ variant of it that kept it alive – over two years down the line it was still going. Even ‘Conficker’ morphed and changed over the months to help prolong itself. In terms of old techniques being reused, Conficker borrowed from the worms of the past, that made use of floppy-disks and reapplied this in the form of USB thumb drives. So, unfortunately, the world of spam looks to have borrowed some lessons from malware. Twenty years later, we are still fighting malware and fighting more of it than we could ever have imagined.

July 3, 2009 | Filed Under Security, Spam | Leave a Comment 

Norton 2010 – the BETA is here

nortonI am delighted to let you know that we have released BETA versions of Norton AntiVirus 2010 and Norton Internet Security 2010. Without wanting to resort into the realms of hyperbole, the Norton 2010 products are not just another update to a well established security product. These products see us deploy an exciting and innovative new approach to security: namely reputation based security. As, and when, you encounter a file that is being downloaded onto your PC, we will be able to make a real-time assessment as to the safety or trustworthiness of that file.  Trojan based downloads are the attack ‘du jour’ of the malware crowd, this represents a new approach that they have not encountered before. The link to the BETA is here.  You can also track the development of the BETA testing and find out what other people think of the products by monitoring the Norton Forum.  A quick summary of just some of the many new features in Norton 2010 are:

Performance enhancements
The 2010 products improve on the very high performance bar already set by the 2009 products. The Beta builds will be regularly updated, with later builds improving on performance and functionality.

Enhanced Norton Insight
Norton Insight is built on the Symantec Quorum backend intelligence technology first introduced in the 2009 products. In 2009 Norton Insight only quantified trustworthiness, in 2010 Norton Insight also provides information on prevalence, age, and runtime performance data.

Download Insight
Download Insight is a new line of defense against the introduction of untrusted applications on your system. Download Insight monitors new application or installer downloads, automatically analyzes and classifies the application using the Quorum technology, and provides you with a trust rating for the application before allowing the application or installer to execute.
 
Performance Monitoring
The system performance monitoring now also monitors system events such as application installations, and we monitor process performance. This information is graphed over time, to make it easier to determine if an application may be the cause of degraded performance.

Enhanced SONAR
SONAR behavioural protection technology was completely re-written for the 2010 products. SONAR now also utilises the Quorum backend intelligence technology to further improve detections and reduce false positives.

Power Savings
Power saving options are available that helps conserve battery power by only running non-critical when on AC power.

Silent Mode
The Silent Mode functionality was enhanced to include Quiet Mode on automatic detection of CD/DVD burning and media recording applications. Users can now also define their own applications that will trigger Quiet Mode.

Anti-Spam
The Anti Spam technology was completely re-written for the 2010 products. The Anti Spam engine is now using the world’s leading Symantec Brightmail technology. The engine is further enhanced to not only perform local scanning, but to also double check the results in real-time against the backend system, further increasing the effectiveness and reducing false positives.
 
Windows 7
Full support for Windows 7, including support for Teredo, Windows Mail, and Home Groups.

July 3, 2009 | Filed Under Announcements, Security | Leave a Comment