Feeds

Online attackers feed off Norton forum purge

Silence isn't golden

Choosing a cloud hosting partner with confidence

Quick-moving attackers took advantage of a glitch in an update for Symantec anti-virus software, using an information vacuum that followed as an opportunity to lure panic-stricken users to websites that tried to install malware on their computers.

The glitch began around 4:30 pm California time on Monday, when Symantec engineers accidentally distributed a software update for older versions of the Norton Anti-Virus that had not been digitally signed. Symantec customers soon received ominous error messages popping up on their computer screens - so they did what good end-users are supposed to do: they went to the company's support forum to get the official word on a file called pifts.exe that was the subject of the warnings.

To the amazement of many, there were no messages. To make matters worse, there was evidence that every time a customer posted a query about the error, someone at Symantec removed it. By Tuesday morning, several websites with top billing from Google and other search engines were exploiting the confusion by promising details about the problem but pushing malware instead.

What's impressive about the scam is how quickly the miscreants seized on the completely unexpected event. Within hours, their sites had managed not only to reference pifts.exe but also to rise to the top of Google's rankings.

Jeff Kyle, group manager for consumer products at Symantec, said posts were only deleted after the forum was flooded with more than 600 nonsensical messages that contained the string "pifts." Recognizing their site was under attack by bot-controlled PCs, forum administrators promptly shut down threads that were discussing the file.

The removal of the threads only made users more eager for information about a file they had every reason to believe represented a clear and present danger to their computer security. That created a golden opportunity for professional malware pushers.

One of the websites promising information was inspected by Randal Vaughn, a professor of information systems at Baylor University. He said it was outfitted with javascript that checked to see how visitors had arrived at the rogue site. If Google, Yahoo, or MSN had referred them, the site tried to foist malware on them. If not, it returned an error message.

It's unfortunate that this episode happened at all. A single well-placed post from a Symantec official would likely have nipped most of it in the bud and prevented the mass confusion that enabled this social-engineering attack. Kyle said that the forum is run by Symantec employees in what amounts to their spare time, and isn't supposed to be relied upon to communicate glitches such as the one that happened on Monday.

We wouldn't be surprised to see that change. As the episode makes clear, real-time communication with customers is key for security providers, especially following glitches.

"We have to look at how to better communicate to our users," Kyle said in an interview. "We constantly do that and this just calls out a different flavor and an increased need to be able to communicate actively and accurately to our user base." ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.