Endpoint Protection

 View Only
  • 1.  Post-Kareeza Spyware

    Posted Jun 25, 2014 04:58 PM

    Anyone else wrestle with this click fraud binary? Apparently it gets stuck in the browser and sends ghost-clicks to an ad vendor so they can fraudulently charge their hapless clients. 

    Impact on end user: poor browser/system performance, excess network traffic

    Impact on hapless vendor trying to get more visitors: $$$

    SEPM has logged all the URL traffic and we can see sites like cnn and huffingtonpost serving up this binary to visitors

    Anyone know how this thing works, better yet how to eradicate it? There are lots of phony sites on the web claiming to help with that "post-kareeza Trojan infection". It's not a Trojan (yet) but s/b classified as agressive adware/spyware.



  • 2.  RE: Post-Kareeza Spyware

    Posted Jun 25, 2014 05:04 PM
    Create a firewall rule to log application traffic so you narrow it down. Once you find it, you can block access and remove the exe (submit to symantec first)


  • 3.  RE: Post-Kareeza Spyware

    Posted Jun 25, 2014 06:40 PM

    We can't do application logging at the perimeter firewall, are you referring to a client side firewall?



  • 4.  RE: Post-Kareeza Spyware

    Posted Jun 25, 2014 07:22 PM

    Yes, I'm talking about application logging using the SEP firewall, not your perimeter fw.



  • 5.  RE: Post-Kareeza Spyware

    Posted Jun 26, 2014 06:05 AM

    Hi SYMnewb,

    Thanks for the post- I might be able to help:

    SEPM has logged all the URL traffic and we can see sites like cnn and huffingtonpost serving up this binary to visitors

    Can you supply some information on the URLs involved, and have you submitted the binaries for analysis?  (If not, do you know their MD5 hash values?)

    If there is an undetected threat, definitely do investigate and open a Tech Support case.  Symantec has helped take down such threats and botnets before.  This blog post that illustrates clickfraud may be of interest:

    Bamital Bites the Dust
    https://www-secure.symantec.com/connect/blogs/bamital-bites-dust

     

    Please do keep this thread up-to-date with your progress!

    Many thanks,

    Mick

     



  • 6.  RE: Post-Kareeza Spyware

    Posted Jun 26, 2014 05:38 PM

    kareeza.com is the main site. If visited it may open blank tabs in the browser. We have excamined the "viz11.swf" you can pick up on the site, and while sloppily written (intentional for obscufication?) is not very malicious in that it does not try to break anything. It does appear load the visitor's browser with code to simulate web site hits. 

    It fetches a list of "Ad Partners", installs a plug-in (IE only) and displays virtually invisible display elements, sized with singular pixels ('size=1x1' (pixels) and 'left=-1000, top=-1000" i.e. "off the screen").



  • 7.  RE: Post-Kareeza Spyware

    Posted Jun 27, 2014 06:00 AM

    Many thanks SYMnewb- do submit that .swf file to Security Response for analysis.

    Symantec Insider Tip: Successful Submissions!
    https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions
     

     



  • 8.  RE: Post-Kareeza Spyware

    Posted Jun 27, 2014 01:08 PM

    Tracking #38404155

    swf11.PNG



  • 9.  RE: Post-Kareeza Spyware

    Posted Jun 30, 2014 05:25 AM

    Hi SYMnewb,

    Thanks for the submission.  As you have posted, Security Response determined that this flash file does not meet Symantec's criteria for being considered malicious.  Other vendors seem to agree: on VirusTotal that file has a 0/53 detection ratio.

    It is possible to block all Flash in your environment, if you like.  Here's a forum thread with good links: https://www-secure.symantec.com/connect/forums/block-flv-file 

    Likewise, it is possible to block access to those domains with a firewall policy.

    Blocking a Website using Symantec Endpoint Protection
    http://www.symantec.com/docs/TECH92405

    Definitely do keep Flash and other third-party Internet plugins up to date.  Exploit kits can take advantage of known vulnerabilities in older versions and drop some very nasty code onto a computer using drive-by downloads. This is one way that cryptolockers like Trojan.Cryptowall get onto a machine, sabotaging all the documents on that computer's drives and then going off to encrypt all the documents it can over open network shares.  IPS can help offer protection, but keeping software patched up-to-date in additional to IPS is best.

    Symantec Endpoint Protection – Best Practices
    http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0
     

     

    Hope this helps!!

    Mick