May 2012 Computer Security Summary By Symantec

Symantec Intelligence Report: May 2012

What happened in May 2012 ?
  • Spam – 67.8 percent (an increase of 3.3 percentage points since April):
  • Phishing – One in 568.3 emails identified as phishing (a decrease of 0.03 percentage points since April):
  • Malware – One in 365.1 emails contained malware (an increase of 0.03 percentage points since April):
  • Malicious Web sites – 4,359 Web sites blocked per day (an increase of 48.7 percent since April):
  • Targeted Attacks, Cyber Espionage and W32.Flamer:
  • London 2012 Olympic Games – Spammers Aiming for the Gold:
  • Flashback—The day of the Mac threat has arrived:

W32.Flammer - The Middle Eastern Targeting Trojan:

W32.Flamer was first discovered when the Iranian Oil Ministry was attacked. As a result, the ministry decided to disconnect its facilities from the Internet.

Based on what Symantec found, this trojan's core purpose is to gather data from compromised computers. Period.

Symantec claims to have no knowledge on who made the Flammer and it recognizes that it is the most complex piece of malware, ever.

What is interesting in terms of Flamer is that it appears to have been developed by professional software developers. The code is very clean, and has an advanced architectural design. For instance, it makes use of a highly customizable scripting language called Lua, which allows the attackers to create custom modules for the threat. It also contains a SQLite database which it uses to collect and store information.

London 2012 Olympic Games Opportunists:

Up to May 2012, Symantec detected lottery and phishing scams related to the coming-soon Olympic games.

Flashback—The Day of the Mac Threat has Arrived

The OSX.Flashback.K affected approximately 600,000 Macs.

Flashback was first discovered in September of 20113. It started off disguising as an Adobe Flash Player installation package for Mac which in actual fact Mac doesn't support flash and yet many people got duped.

It didn't go well until it hit the right button, by leveraging on well-known Java vulnerability. The Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability4 (CVE-2012-0507) had been publically disclosed in February, and subsequently patched by Oracle.

The exploit was added to a version of the popular Blackhole exploit kit and seeded out to compromised websites throughout the Internet. If a Mac user happened to come across one of these websites, the kit attempted to exploit the Java platform and install Flashback. The result was more than half a million compromised Macs.

Once the word spread, Apple was quick to release a patch for the vulnerable version of Java and distribute it to users of OSX version 10.6 and 10.7. The company, in an uncharacteristic move, would release a patch for the no-longer-supported OSX 10.5 a few weeks later.

One thing interesting about Flashback is that it is designed to generate pay-per-click revenue on web ads such as Google ads. Symantec estimated that it only managed to generate abour USD $14,000 in total with no prospect of cashing out.

Android.Opfake Makes Another Run:

Since 2012, attacks on mobile platform has been greatly intensified. By the end of may 2012, we had seen 11 new Android threat families and twelve months on, the number will have passed 30; that’s almost a threefold increase, year on year. There was also a month-by-month average increase of 42.5% in the number of new threat families.

Android.Opfake is malware written for Android devices that masquerades as various apps and content, including an installer for the Opera Web browser and a pornographic movie, which requires the user to pay for them. It demands payment for the app or content through Short Message Service (SMS) messages.

Symantec found that it is being distributed as disguises for games such as Temple Run and Cut the Rope. The attackers have even gone so far as to include images of actual devices playing the games in an attempt to convince unsuspecting users that the malicious versions are actually legitimate.


This trojan is primarily targeting the UK and the Netherlands. It is a banking trojan which attempts to steal banking credentials. This is carried out by detecting which banking sites the user is currently browsing and if a match is found, it will cover part of the page in white, using a hidden DIV tag, and execute custom JavaScript located on the malicious server.

Affected browsers are Firefox and Internet Explorer which makes up 50% of the share.


W32.Flammer, W32.Stuxnet  and W32.Duqu appear to be politically motivated. However, Symantec believes that W32.Flammer and W32.Stuxnet and W32.Duqu are written entirely by different team of programmers.

Politically or not, it is suggestive that these programmers are funded and are well informed.