Feeds

Online attackers feed off Norton forum purge

Silence isn't golden

Build a business case: developing custom apps

Quick-moving attackers took advantage of a glitch in an update for Symantec anti-virus software, using an information vacuum that followed as an opportunity to lure panic-stricken users to websites that tried to install malware on their computers.

The glitch began around 4:30 pm California time on Monday, when Symantec engineers accidentally distributed a software update for older versions of the Norton Anti-Virus that had not been digitally signed. Symantec customers soon received ominous error messages popping up on their computer screens - so they did what good end-users are supposed to do: they went to the company's support forum to get the official word on a file called pifts.exe that was the subject of the warnings.

To the amazement of many, there were no messages. To make matters worse, there was evidence that every time a customer posted a query about the error, someone at Symantec removed it. By Tuesday morning, several websites with top billing from Google and other search engines were exploiting the confusion by promising details about the problem but pushing malware instead.

What's impressive about the scam is how quickly the miscreants seized on the completely unexpected event. Within hours, their sites had managed not only to reference pifts.exe but also to rise to the top of Google's rankings.

Jeff Kyle, group manager for consumer products at Symantec, said posts were only deleted after the forum was flooded with more than 600 nonsensical messages that contained the string "pifts." Recognizing their site was under attack by bot-controlled PCs, forum administrators promptly shut down threads that were discussing the file.

The removal of the threads only made users more eager for information about a file they had every reason to believe represented a clear and present danger to their computer security. That created a golden opportunity for professional malware pushers.

One of the websites promising information was inspected by Randal Vaughn, a professor of information systems at Baylor University. He said it was outfitted with javascript that checked to see how visitors had arrived at the rogue site. If Google, Yahoo, or MSN had referred them, the site tried to foist malware on them. If not, it returned an error message.

It's unfortunate that this episode happened at all. A single well-placed post from a Symantec official would likely have nipped most of it in the bud and prevented the mass confusion that enabled this social-engineering attack. Kyle said that the forum is run by Symantec employees in what amounts to their spare time, and isn't supposed to be relied upon to communicate glitches such as the one that happened on Monday.

We wouldn't be surprised to see that change. As the episode makes clear, real-time communication with customers is key for security providers, especially following glitches.

"We have to look at how to better communicate to our users," Kyle said in an interview. "We constantly do that and this just calls out a different flavor and an increased need to be able to communicate actively and accurately to our user base." ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?