Feeds

Online attackers feed off Norton forum purge

Silence isn't golden

The Essential Guide to IT Transformation

Quick-moving attackers took advantage of a glitch in an update for Symantec anti-virus software, using an information vacuum that followed as an opportunity to lure panic-stricken users to websites that tried to install malware on their computers.

The glitch began around 4:30 pm California time on Monday, when Symantec engineers accidentally distributed a software update for older versions of the Norton Anti-Virus that had not been digitally signed. Symantec customers soon received ominous error messages popping up on their computer screens - so they did what good end-users are supposed to do: they went to the company's support forum to get the official word on a file called pifts.exe that was the subject of the warnings.

To the amazement of many, there were no messages. To make matters worse, there was evidence that every time a customer posted a query about the error, someone at Symantec removed it. By Tuesday morning, several websites with top billing from Google and other search engines were exploiting the confusion by promising details about the problem but pushing malware instead.

What's impressive about the scam is how quickly the miscreants seized on the completely unexpected event. Within hours, their sites had managed not only to reference pifts.exe but also to rise to the top of Google's rankings.

Jeff Kyle, group manager for consumer products at Symantec, said posts were only deleted after the forum was flooded with more than 600 nonsensical messages that contained the string "pifts." Recognizing their site was under attack by bot-controlled PCs, forum administrators promptly shut down threads that were discussing the file.

The removal of the threads only made users more eager for information about a file they had every reason to believe represented a clear and present danger to their computer security. That created a golden opportunity for professional malware pushers.

One of the websites promising information was inspected by Randal Vaughn, a professor of information systems at Baylor University. He said it was outfitted with javascript that checked to see how visitors had arrived at the rogue site. If Google, Yahoo, or MSN had referred them, the site tried to foist malware on them. If not, it returned an error message.

It's unfortunate that this episode happened at all. A single well-placed post from a Symantec official would likely have nipped most of it in the bud and prevented the mass confusion that enabled this social-engineering attack. Kyle said that the forum is run by Symantec employees in what amounts to their spare time, and isn't supposed to be relied upon to communicate glitches such as the one that happened on Monday.

We wouldn't be surprised to see that change. As the episode makes clear, real-time communication with customers is key for security providers, especially following glitches.

"We have to look at how to better communicate to our users," Kyle said in an interview. "We constantly do that and this just calls out a different flavor and an increased need to be able to communicate actively and accurately to our user base." ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.