Security Response

Following our blog, Zero-Day Attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software, covering the recent IE Zero-day, we thought it might be interesting to look at an attack in the wild using this vulnerability and the resulting payload.

In what is thought to be a targeted attack, the targets were duped into visiting the site Topix21century.com, which was recently registered on March 6, 2010. Once the site is visited and the target is exploited using JS.Sykipot, they find themselves with Backdoor.Sykipot installed on their system....

Internet Explorer 6 may have taken its path to retirement but it still remains a good target for exploits, as we can see from JS.Sykipot. This zero-day was found on March 8th and it exploits a vulnerability in some Internet Explorer versions (CVE-2010-0806 , BID 38615) that can lead to remote code execution. Upon successful exploitation, JS.Sykipot will download and run Backdoor.Sykipot, which is a back door capable of communicating with its control server to receive and run several commands.

In my tests, the exploit worked successfully on IE6...

We recently received a file (from CERT) for analysis. We found that the file was a Trojan that opens a back door on a compromised computer and listens for commands on port 7777. This by itself is not very unusual, but what surprised us was that this file was being distributed by Energizer Inc as part of a USB charger-monitoring software package.

When we checked the manufacturer’s website, the file was still available as part of the USB charger software package. As part of the installation process for the USB charger software, the file “Arucer.dll” is created and added to the registry run key. We discovered that this file is the Trojan and added detection for it as Trojan.Arugizer. Since the file is added to the run key, the Trojan starts every time the computer starts. The Trojan listens for commands from anyone who connects and can perform various actions...

“Big Brother Brazil” is a Brazilian reality TV program adapted from the popular Big Brother television series. The show is about a group of people living together in a purpose-built Big Brother house, isolated from the outside world, while being monitored by cameras 24x7. The television series is viewed by scores of people during primetime hours, but live feeds are also available from multiple cameras in the house on the Web. Part of the popularity is due to the fact that some of the videos are suitable only for adult viewing.

Symantec has observed phishing attacks—against social networking websites—claiming to have Web applications that will provide live feeds of the show that are available for viewing. Users are asked to enter their credentials and add the application in order to watch the show live. The sheer amount of interest in the show will lure some people into entering their credentials. The Big Brother Brazil social networking application...

In October 2009 we started tracking the Mariposa, or Butterfly, botnet. At that time, a security company had reported that a large number of Fortune 100 companies had been infected with this threat. Earlier today, news came out that the same firm had worked with the appropriate authorities in arresting alleged key members of the Mariposa botnet.

Back in October 2009 we also blogged about this bot's capabilities, in a brief post called The Mariposa Butterfly. Later that month we were able to get our hands on a toolkit being sold in underground forums that clearly demonstrated the bot's capabilities. More information about that is available in...

The 2010 Winter Olympics were held in Vancouver, Canada, from February 12-28. With more than 82 countries participating and millions across the globe catching day-to-day action, it was sadly quite obvious that we would see spam attacks centered on this event. However, the volume of spam relating to the Winter Olympics is actually very low, which is unlike the Beijing Olympics, when spam campaigns had started way before actual event. In the case of the Winter Olympics, spammers seem to be only now waking up from their slumber.

Spammers have only recently started using references to the Winter Olympics in their spam email messages, and are offering different promotional schemes for health and weight loss products. The scammers are offering various discounts on the medications that are being offered through spam emails. Upon clicking the URL link provided by the spammers, the user is redirected to an online drug store that sells cheap, discounted “medicines.”...

A massive earthquake struck near the Chilean city of Concepcion in the early hours of the morning of February 27th, 2010. The quake measuring 8.8 on the Richter scale was considerably stronger than the one that recently caused widespread destruction on the island of Haiti. Fortunately, despite the size of this latest quake, so far there has been few reported casualties. The quake occurred near the coast and tsumani warnings were issued for many countries bordering on the Pacific ocean. Unfortunately as with any major news event, miscreants are not slow to pounce when such opportunities arise to further their aims.

Search engine results returned for terms such as “Chile Earthquake” are being poisoned to lead users to rogue...