Malware authors often leave hidden messages in files for analysts to find or for other malware authors to see. However, finding a curse on my whole family in a flash exploit file came as somewhat of a surprise!
The file in question was being distributed on the Internet circa June of this year and was being hosted on some Chinese domains. After decompressing the file and extracting the ActionScript I saw some Chinese characters used within the script. I don’t speak Chinese myself, so I had one of our engineers who does translate the message:
This roughly translates to:
“Dadong declares that: This file is used only for internal technical research, if you decrypt it your whole family will die, if you use it as a part of a Trojan your whole family will die also! If you use this file illegally you take...
Koobface is a worm that infects users by using social engineering attacks. It spreads by abusing social networking websites such as Facebook, Twitter, and MySpace, or by employing search engine optimization (SEO) techniques to lure potential victims to malicious sites.
We have been monitoring Koobface for a while now, and here we have some findings based on analyzing data collected over three weeks. These findings shed some light onto the modus operandi of the gang behind Koobface and the effectiveness of its techniques.
The infrastructure used by the Koobface gang is relatively simple: a central redirection server redirects victims to one of the infected bots where the actual social engineering attack takes place. While the central redirection point has been actively targeted by take-down requests, the Koobface gang has so far been quick to replace suspended domain names and blacklisted IPs with new ones. The figure below shows the timeline of some of the...
We posted a blog "Twittering Botnets" a few days ago that gave details of malware that receives obfuscated URLs from Twitter messages. This malware is detected as Downloader.Sninfs. This blog also made a prophecy that alternative sites could be used in the same fashion, and unfortunately this one has come true.
A new variant of this threat has emerged that uses not only Twitter, but also another social networking and micro-blogging site Jaiku.com. Symantec detects this Trojan as Downloader.Sninfs.B.
Like the previous variant, Downloader.Sninfs.B also attempts to get URLs from obfuscated Twitter status messages. However, if that attempt fails, the Trojan will use the...
