Feeds

Online attackers feed off Norton forum purge

Silence isn't golden

Next gen security for virtualised datacentres

Quick-moving attackers took advantage of a glitch in an update for Symantec anti-virus software, using an information vacuum that followed as an opportunity to lure panic-stricken users to websites that tried to install malware on their computers.

The glitch began around 4:30 pm California time on Monday, when Symantec engineers accidentally distributed a software update for older versions of the Norton Anti-Virus that had not been digitally signed. Symantec customers soon received ominous error messages popping up on their computer screens - so they did what good end-users are supposed to do: they went to the company's support forum to get the official word on a file called pifts.exe that was the subject of the warnings.

To the amazement of many, there were no messages. To make matters worse, there was evidence that every time a customer posted a query about the error, someone at Symantec removed it. By Tuesday morning, several websites with top billing from Google and other search engines were exploiting the confusion by promising details about the problem but pushing malware instead.

What's impressive about the scam is how quickly the miscreants seized on the completely unexpected event. Within hours, their sites had managed not only to reference pifts.exe but also to rise to the top of Google's rankings.

Jeff Kyle, group manager for consumer products at Symantec, said posts were only deleted after the forum was flooded with more than 600 nonsensical messages that contained the string "pifts." Recognizing their site was under attack by bot-controlled PCs, forum administrators promptly shut down threads that were discussing the file.

The removal of the threads only made users more eager for information about a file they had every reason to believe represented a clear and present danger to their computer security. That created a golden opportunity for professional malware pushers.

One of the websites promising information was inspected by Randal Vaughn, a professor of information systems at Baylor University. He said it was outfitted with javascript that checked to see how visitors had arrived at the rogue site. If Google, Yahoo, or MSN had referred them, the site tried to foist malware on them. If not, it returned an error message.

It's unfortunate that this episode happened at all. A single well-placed post from a Symantec official would likely have nipped most of it in the bud and prevented the mass confusion that enabled this social-engineering attack. Kyle said that the forum is run by Symantec employees in what amounts to their spare time, and isn't supposed to be relied upon to communicate glitches such as the one that happened on Monday.

We wouldn't be surprised to see that change. As the episode makes clear, real-time communication with customers is key for security providers, especially following glitches.

"We have to look at how to better communicate to our users," Kyle said in an interview. "We constantly do that and this just calls out a different flavor and an increased need to be able to communicate actively and accurately to our user base." ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.