Feeds

Online attackers feed off Norton forum purge

Silence isn't golden

Beginner's guide to SSL certificates

Quick-moving attackers took advantage of a glitch in an update for Symantec anti-virus software, using an information vacuum that followed as an opportunity to lure panic-stricken users to websites that tried to install malware on their computers.

The glitch began around 4:30 pm California time on Monday, when Symantec engineers accidentally distributed a software update for older versions of the Norton Anti-Virus that had not been digitally signed. Symantec customers soon received ominous error messages popping up on their computer screens - so they did what good end-users are supposed to do: they went to the company's support forum to get the official word on a file called pifts.exe that was the subject of the warnings.

To the amazement of many, there were no messages. To make matters worse, there was evidence that every time a customer posted a query about the error, someone at Symantec removed it. By Tuesday morning, several websites with top billing from Google and other search engines were exploiting the confusion by promising details about the problem but pushing malware instead.

What's impressive about the scam is how quickly the miscreants seized on the completely unexpected event. Within hours, their sites had managed not only to reference pifts.exe but also to rise to the top of Google's rankings.

Jeff Kyle, group manager for consumer products at Symantec, said posts were only deleted after the forum was flooded with more than 600 nonsensical messages that contained the string "pifts." Recognizing their site was under attack by bot-controlled PCs, forum administrators promptly shut down threads that were discussing the file.

The removal of the threads only made users more eager for information about a file they had every reason to believe represented a clear and present danger to their computer security. That created a golden opportunity for professional malware pushers.

One of the websites promising information was inspected by Randal Vaughn, a professor of information systems at Baylor University. He said it was outfitted with javascript that checked to see how visitors had arrived at the rogue site. If Google, Yahoo, or MSN had referred them, the site tried to foist malware on them. If not, it returned an error message.

It's unfortunate that this episode happened at all. A single well-placed post from a Symantec official would likely have nipped most of it in the bud and prevented the mass confusion that enabled this social-engineering attack. Kyle said that the forum is run by Symantec employees in what amounts to their spare time, and isn't supposed to be relied upon to communicate glitches such as the one that happened on Monday.

We wouldn't be surprised to see that change. As the episode makes clear, real-time communication with customers is key for security providers, especially following glitches.

"We have to look at how to better communicate to our users," Kyle said in an interview. "We constantly do that and this just calls out a different flavor and an increased need to be able to communicate actively and accurately to our user base." ®

How to simplify SSL certificate management

More from The Register

next story
Nothing illegal to see here: Tribunal says TEMPORA spying is OK
Rules mass surveillance is legal, in principle at least
Google kills CAPTCHAs: Are we human or are we spammer?
Do you make up these questions, Mr Wonka?
Author fined $500k in first US spyware conviction
100,000 creeps buy mobe-watching wares
Sony Pictures struggles as staff details, salaries and films leaked
Fury and Annie now doing the rounds - along with staff's privates
Stupid humans and their EXPENSIVE DATA BREACHES
Non-human cockups only account for 7% of leaks
Australian Government funds effort to secure wearable data pulses
Skipping hand-in-hand with government and insurance company databases
prev story

Whitepapers

Virtual desktop cost analysis
The downward trend in desktop virtualization costs and how this trend is prompting organizations to evaluate their own physical PC costs.
Manage security in real time
How security information and event management (SIEM) can work, but also shows how SIEM will become an essential feature of your security environment.
The Escalating Threat of DDoS Attacks
With increasing frequency and scale, some of the world’s largest data center and network operators are suffering from crippling Distributed Denial of Service (DDoS) attacks.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Everything a site builder wants to know
The major changes in Drupal 8 for end users, site builders, designers and front-end developers, and for back-end developers - part 2.