Did I just say that? Usually security researchers hate obfuscation. But I say, let them obfuscate more!
Obfuscation is a loosely defined term, but it basically refers to a method of concealing your exploit code to avoid detection. Attackers employ various techniques and methodologies to achieve obfuscation. Some techniques are very clever and take even the most seasoned security researcher by surprise. In most cases, attackers try to obfuscate their exploit by stretching the limits of the language or protocol they are using. Some take advantage of the detection engine limitations as well.
Today many detection engines parse files and network streams to detect vulnerabilities and odd behavior by using pattern-matching algorithms. However, in many cases the detection logic used has some limitations and assumptions built in. Some limitations stem from the architecture of the detection engine, and some stem from the risk of a false positive. In this cat and mouse game,...
The Zeus crimeware toolkit has been around now for some time and is well established in the underground economy as being an easy-to-use and powerful tool for stealing personal data from remote systems. Initially linked to a group of criminals known as the “Rock Phish” group and targeting worldwide financial institutions, the toolkit has since become widely available both for sale and for free on underground forums.
The following video provides an insight into the Zeus crimeware toolkit, the underground economy, and distribution methods for the Trojan:
Recently, Twitter implemented technology to help stem the threat of malicious URLs being propagated though its service. This approach seems to be a great effort on the part of Twitter to prevent attackers from tweeting malicious links.
It appears as if the tool is filtering tweets and comparing any embedded URL to their list of known malicious sites. Trying to determine whether a URL points to a malicious website in a large-scale automated fashion, especially in today’s threat landscape, is a challenging problem. From my perspective, there are a few issues that need to be worked out. Twitter is likely in the nascent stages of addressing these types of issues and we expect they will try to overcome the associated limitations.
To date we've only seen a relatively small number of attack attempts involving malicious URLs on Twitter. URL-shortening services are often at the heart of these types of attacks as bad guys try to take advantage of the system to disguise...
Many years ago I worked in the network router business. Back then, as a product manager, I wrote datasheets. Yeah, exciting stuff, but you have to start somewhere. There were these datasheets—the backs of them always contained what we called the "speeds and feeds," which included the different types of connections the router supported, the different protocols, and the performance numbers. If you knew nothing about routers and networking protocols it must have looked like just a bunch of incomprehensible numbers.
When I look through some versions of the Symantec Internet Security Threat Report I can’t help but think of those speeds and feeds I use to write. You could look at the data in the ISTR as just a bunch of numbers. Although, one of the things I like about the ISTR is how easy to read and accessible it is. So, my speeds and feeds analogy breaks down here. I think it is likely that some people do look at the report as a bunch of numbers and find it...
We posted a blog "Twittering Botnets" a few days ago that gave details of malware that receives obfuscated URLs from Twitter messages. This malware is detected as Downloader.Sninfs. This blog also made a prophecy that alternative sites could be used in the same fashion, and unfortunately this one has come true.
A new variant of this threat has emerged that uses not only Twitter, but also another social networking and micro-blogging site Jaiku.com. Symantec detects this Trojan as Downloader.Sninfs.B.
Like the previous variant, Downloader.Sninfs.B also attempts to get URLs from obfuscated Twitter status messages. However, if that attempt fails, the Trojan will use the...
In a previous post I provided an overview of W32.Waledac’s functionalities, tactics, origin, and connections. This time, I will discuss more on the bootstrap mechanisms and armoring techniques used by Waledac in order to sustain and protect itself.
Installation
When a Waledac executable is installed, it turns the compromised system into a zombie and acts as an agent for the botnet. It creates a window named fhfhkjfhwefkwj and registers itself with a class name jfkljfilfj23fi32io. As a self-starting mechanism, it also adds any of the following entry in the registry so that it can run whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”PromoReg” = “[PATH TO EXECUTABLE]”
Or:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”PromoReg” = “[PATH TO EXECUTABLE]...
