Symantec Security Response's blog

For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection.

Last week, we posted a blog informing Android users of the discovery of new versions of Android.Tonclank, which we have named Android.Counterclank.

The Sykipot campaign has been persistent in the past few months targeting various industries, the majority of which belong to the defense industry. Each campaign is marked with a unique identifier comprised of a few letters followed by a date hard-coded within the Sykipot Trojan itself.

Thanks to Masaki Suenaga and Andy Xies for their analysis.

Authored by Tony Millington and Gavin O’Gorman

The intercepted email in this blog was provided by Symantec.cloud.

In late September 2011, it was reported that a previously unknown and un-patched vulnerability in Hancom Office (a word processing software predominantly used in Korea) was exploited in the wild.

As mentioned in our previous blog, W32.Duqu was first brought to our attention by a research lab who had been investigating a targeted attack on another organization.

On October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat "Duqu" [dyü-kyü] because it creates files with the file name prefix “~DQ”.

W32.Qakbot is a worm that's been around since at least 2009. The worm initially infects users by exploiting vulnerabilities when certain Web pages are visited. It subsequenly spreads through network shares and removable drives.