Endpoint Protection

I received an email from a trusted source, clicked on link in email (without thinking) and was redirected to a website for Viagra.

I started a Full Scan with Symantec Endpoint Protection v11.0 and nothing was found.

Can any of you white-hats (or whatever the good guy hacker term is) determine what this thing did?  Here is link I clicked on in email - spaces added to prevent accidents

ht tp:// asuntokauppoja.fi/images/asw.p h p

Thank you in advance,

Chris

It could be kind of phishing attack. Can you check with the trusted source of sending the URL included in mail?

Hi,

Have you configured Symantec mail security in your environment ? SEP and Symantec mail security are two different product.

Symantec mail security will stop such kind of Spam emails.

To be safer side it is recommended  to install all the SEP features AV / PTP/ NTP with latest definitions.Always make sure that your computers are receiving definitions regularly.

You windows machine should have all the latest windows updates /Patches.

It may not mean anything other than you were re-directed to that particular site.

This particular site does not have anything malicious on it. Just don't buy anything

We've been hit by a few of these in the past few month and they seem to be creating new variants on a daily basis.  Not sure how Mail Security (which we're running) would help if these things are being sent out rapid-fire before definitions are updated. 

We had a user click a link to:

htt p://marl uci amartins.com.br/ima ges/aqq.ph p (spaces added, and the link is now dead).

In that case, the user ended up with a new variant of SecurityShieldFraud that wasn't detected by even the rapid release defs at the time.

Today's victim had defender.exe dropped in their application data directory after clicking a similar link.  There was no prompt to run an application - it just loaded.  This one still isn't detected by the rapid release defs.

I submitted a sample (Tracking #19520683) and haven't yet heard back.

We're going to take a machine and try to see what the infection vector is.. we think it might be a java vulnerability because a user got this at home and reported seeing the java console load just before they got hit. 

Heard back:

We have processed your submission (Tracking #19520683) and your submission is now closed. The following is a report of our findings for the files in your submission:

File: defender.exe

Machine: Machine

Determination: This file is detected as 'Trojan.FakeAV, ' with our existing Rapid Release definition set.

This is not true.  I downloaded the latest definitions available here:

ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rapidrelease/

03/17/11 01:31AM [GMT]    101,011,328 symrapidreleasedefsv5i32.exe

After installing them, I get the 16 March 2011 r36 version, and this is not being detected when I perform a scan for viruses on the sample.  The eicar test string is detected though.
 

You need this rapid release definition file for SEP (symrapidreleasedefsx86.exe)- http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

The detection results message should specify the minimum required revision, not "the existing set".  This is crucial if people click the link and they download the latest available defs on the RR ftp site at the time (it was r36) and that version doesn't provide the protection.

We're using SEP 11, so when I go to http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr, it says that symrapidreleasedefsx86 is for:

Shouldn't Endpoint Protection 11 also be listed if this is the one i'm supposed to be using?  

Anyway, after running this, i'm at r37, and is now detected if i scan the .exe itself.  What complicates this is that when I scan the .zip file that I uploaded to symantec when I made my submission, it doesn't detect anything.  Shouldn't that work when scanning 3 levels deep inside a zip file is turned on?

You are correct, I was mistaken. I thought I was on the SEP 11 definitions listing.

Time for glasses. : )

I am unsure as to why the zip file was not getting detected. Are you running the Security Response recommened settings for your AV?

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948

Interestingly enough, the x86 defs did update sep11!

Just double-checked all settings.  We're at the Symantec Security Response Recommendation setting for everything except for the Tru-Scan frequency. That's set to 1 hour (default) rather than 15 minutes.  Given that the virufs defs are only updated three times or so a day, wouldn't this be adequate?  This shouldn't affect whether an on-demand scan would miss a detection in a zip file.

SEP email scanner and Symantec Mail Security (SMS) are purely anti-malwares. I don't think they scan for spam emails. They do however look for scripts and malicious attachments in emails. If the sender is a trusted source, have their computer scanned as it's probably their PC that's infected. And I hope none of them accidentally added your email to one of those spam sites.

What you need is an Anti-spam like Symantec Brightmail Gateway.

:)

I was testing last night and managed to get my test PC infected with InternetSecurity2011 (on purpose), and I had to find a BlackHat Search Engine Optimization link and follow some links, but this one was definitely social engineering. 

Other users deny accepting any prompts and still getting infected with defender.exe after clicking an emailed link (ending in .php), so we suspect it might be an unpatched vulnerability.  The problem is, these links disappear quite quickly so it's difficult to troubleshoot.  If any of your users get stung by defender and you still have the email they received, I'd love a copy of the link posted (safely, with spaces) here so we can try to replicate.