Once again Zeus is up to its old tricks with a new twist. The latest spam run informs users that their latest Social Security statement is available but it may contain errors. The subject of the mail will be something like “Review annual Social Security statement“ and the body warns of a potential identity theft risk and asks you to review your annual statement at the link they provide.
Figure 1. An example of the Spam
If you follow this link you will arrive at the following page:
It’s well known that malware is growing more sophisticated, but few threats have had us scratching our heads like Trojan.Clampi. In order to remove the mystery around this threat, Security Response will be publishing a series of blogs talking about various aspects of Clampi. As an introduction, we’d like to present a brief overview of the threat.
Distribution
Trojan.Clampi has been around for a number of years now. During this time it has gone through many iterations, changing its code with a view to avoid detection and also to make it difficult for researchers to analyze.
From our analysis it seems that Clampi has mainly affected machines in the US. Clampi infection rates seem to be skewed towards countries where English is the primary language. This may indicate the first infections were as a result of malicious drive-by attacks on...
A few days ago we wrote about how Downloader.Sninfs is using Twitter as part of its command and control infrastructure. How the threat uses this is quite interesting. Here’s an example of a Twitter account used by this threat:
This is a pretty standard Twitter page, but the message is unusual. It turns out that this message is a base64-encoded string that contains two URLs. These URLs are:
Recently we came into possession of an Adobe Acrobat PDF file that upon opening drops and executes a malicious binary. It was quite clear that this PDF was exploiting some vulnerability in order to drop its payload. And, during the analysis it soon became apparent that this vulnerability was not one we had seen in the wild before. What was even more surprising was that this vulnerability affects Adobe Flash—not Adobe Reader as we initially suspected.
An issue in Adobe Flash is more serious. Most vulnerabilities are confined to one technology; for example, a vulnerability may affect a particular browser or a particular operating system, but it is rare for a vulnerability to span multiple platforms and products. This is not the case with Flash. Flash exists in all popular browsers and is also available in PDF documents. It is also largely operating system independent; therefore, the threat posed by this issue is not to be taken lightly. Flash has become an integral part...
