Zeus is a botnet package that allows for the easy creation and command and control of a botnet. We've discussed Zeus previously in Zeus, King of the Underground Crimeware Toolkits. The main purpose of Zeus is to steal online credentials such as online banking passwords, but it can be configured to steal passwords from any online site.
Today, the BBC is reporting that police in the UK have arrested two suspects in relation to Zeus. While the details are preliminary, the two likely appear to be users of the Zeus botnet package rather than the actual creators, and thus the prevalence and usage of Zeus is likely to continue.
We've created a research paper providing more in-depth information on Zeus, including how the bot is created, what functionality it has, and additional screenshots on...
As the April 1 payload delivery date nears for W32.Downadup.C (also known as Conficker) speculation continues on whether the payload will be one big April Fool’s joke, or the equivalent of a cyber Pearl Harbor. While we can’t predict the future with certainty, we can look at the motivations of past Downadup variants to postulate that the payload will likely be something between the two extremes.
The first Downadup variant (.A) provides the best evidence of the motivations of the Downadup authors. In a similar fashion to the recent Downadup variant, Downadup.A had a payload delivery date after its initial release, on December 1, 2008. Downadup.A attempted to download its payload file from hxxp://trafficconverter.biz/4vir/antispyware/loadadv.exe. While Downadup.A was never able to download its payload because the payload site was shut down, the...
Editor’s Note: This is the seventh installment of a multi-part series on specific and interesting aspects of W32.Downadup.
While Downadup’s RPC exploit method of spreading has been highlighted in several recently posted blog articles, the worm spreads via other methods as well. One of the potentially more noticeable methods is through network shares, especially in enterprise environments.
Downadup attempts to copy itself to other machines using the administrative network share (ADMIN$) that exists by default on Microsoft Windows machines. However, copying itself to the share requires authentication. This requirement leads to some noticeable...
In a previous blog entry we mentioned some of the press reports regarding Bankpatch and Nadebanker. We wanted to follow up with some additional insight on these threats.
Bankpatch is customized to target certain regions and certain banks, most recently with activity in Denmark. Our latest “heatmap” of infections shows Denmark as being still quite red when compared to other countries.
Reports about Trojan.Bankpatch.C, a sophisticated online banking Trojan, have been hitting the news wires in Denmark. The first version of this threat was released in 2007 and the latest .C variant in August of 2008.
However, the life of the threat continues today as the authors continue to distribute the threat and update plug-in modules that target specific banks. Most recently they’ve seen some success in Denmark deploying modules specifically focused on obtaining online banking credentials for numerous Danish banks. While Symantec is continuing deeper analysis of the threat’s latest actions and modules, we wanted to provide a high-level overview of the threat.
Usually Bankpatch will arrive via a popular means of infection such as Web pages hosting exploits against Internet Explorer and third-party browser plug-in...
Editor’s Note: This is the sixth installment of a multi-part series on specific and interesting aspects of W32.Downadup.
Among other methods, Downadup infects other machines via a remote procedure call (RPC) exploit against the MS08-067 vulnerability. Using the vulnerability, the worm injects shellcode that connects back to the infecting machine. This is known as a back-connect. The back-connect works via HTTP on a randomly selected port and the infecting machine responds to incoming requests by providing the entire worm file. The shellcode receives this file and executes it on the remote host, causing it to then become infected.
Editor’s Note: This is the fifth installment of a multi-part series on specific and interesting aspects of W32.Downadup.
The ability of a threat to widely replicate often depends on its algorithm of finding other computers on the Internet, which are represented by an IP address. Downadup uses a variety of techniques to scan for new machines in order to maximize its infection abilities and at the same time minimize the chance of being noticed on a host.
Brute-force network scanning can cause noticeable slowdowns and network issues on the infected machine. Downadup attempts to limit its impact in two ways. Firstly, the worm contacts two well known websites and calculates the computer’s average bandwidth, then uses this value to configure how many simultaneous remote procedure call (RPC) exploit scans are allowed at one time. Secondly,...
Editor’s note: This is the first article in a multi-part series on specific and interesting aspects of W32.Downadup.
While many researchers, including us, are speculating on the magnitude of infections from Downadup (a.k.a. Conficker), we are also all waiting for the other shoe to drop. At this point, Downadup has replicated to potentially millions of machines but there has been no additional payload—yet. Ten years ago, just replicating was enough motivation in creating malicious code, while today the vast majority of malware has a monetary motivation. Based on previous variants and characteristics of the code, we believe the worm is associated with a well known malware gang that has previously distributed a variety of adware, and more recently misleading applications (a.k.a. rogue antispyware products).
The MPack toolkit has received a fair amount of media attention causing it to become oneof the most desired Web browser exploit toolkits in the undergroundhacker scene. The original author was selling the MPack toolkit for$1000 USD, including a year of free support, and additional exploitmodules for around $100 USD.
However, considering the toolkit is written in a script language, itis easy to redistribute and modify. The toolkit is being sold by othersnow for as low as $150 USD. That is a whopping 85% off. Talk aboutclearance sale. The sellers likely didn't even need to buy itthemselves, but rather probably found some of the multiple Web sitesthat did not employ standard Web site protections, allowing them todownload the whole kit for free.
With the toolkit available in the underground scene and evenavailable to almost anyone for a mere...
One of the principles behind malware is that it follows technologyand mainstream culture. If ninety percent of the world was using theEricOS, the vast majority of threats would be designed to run on theEricOS because otherwise the threat would have nothing to infect.
In China, online computer usage patterns affect the types of malwareSymantec sees there. In particular, if you walk into an Internet cafein China, rarely do you see people using search engines like Google oron Web sites like MySpace. Instead, the vast majority of people haveheadphones on and are playing online games such as Lineage or World ofWarcraft.
Thus, Symantec sees a lot of Infostealers that attempt to stealcredentials for these types of online games. Once credentials arestolen, the hacker logs into the account, steals the virtual items, andthen attempts to sell them for real money through various boardsoutside the virtual gaming world.
Symantec has recently received a phishing email that makes use of an interesting technique of hiding a phishing site URL. When receiving a suspected phishing message, one of the methods of determining if the embedded URLs are legitimate or not is to simply pass your cursor over the underlined hyperlink and then check the URL in the status bar of your browser. In the status bar, you can see if the link belongs to the appropriate domain or not.
Using Javascript, one can alter the text in the status bar. So, when browsing on the Web in general, this isn't always a reliable technique to verify the underlying URL. However, when receiving an HTML email in an email client (including Webmail), Javascript is generally neutered so it does not execute, preventing the obfuscation of the status bar via Javascript, making this technique more reliable. However, this phishing message we recently received is able to modify what is displayed in the status bar...
Recently, a new IRCbot known as Rinbot has been making the news. There are multiple variants of Rinbot (over 20 at the time of writing) and more variants are likely. However, to put Rinbot in perspective, the largest family of bots known as Spybot already has over 30,000 variants. In addition, Rinbot does not introduce any new functionality and, in fact, contains far less default functionality than the average Spybot. Based on the spread of previous variants, we don't foresee a large worldwide outbreak of Rinbot at this time. Nevertheless, just one bot infection on your network can pose trouble.
So, people shouldn't overreact to any threat posed by Rinbot itself, but instead use this opportunity to ensure they are taking proactive steps to address possible...
Soon after information was released about a vulnerability in the in.telnetd daemon in Solaris 10, Symantec's Deepsight monitoring system began to see spikes in port 23 traffic. Most of this traffic was due to people scanning for vulnerable systems. However, yesterday we saw a renewed spike in traffic that has been correlated to a worm known as Wanuk, which uses the vulnerability to spread.
Once Wanuk is on the system, it drops an executable that creates a /bin/sh back door, which listens on port 32982/TCP. In addition, Wanuk's payload includes sending out system broadcast messages of creatively...
A variety of bulletin boards are being spammed with the message to visit mailfreepostcards.com (don't visit that domain!) for a fun video. However, when visiting that site, users are prompted to download an executable. Message board spam is nothing new, but what is different about this message board spam is the spam text is actually integrated into legitimate messages posted by real users.
Posters are infected with an updated version of Trojan.Mespam, which is downloaded by Trojan.Peacomm. This threat has the ability to watch all your network traffic via a layered service provider (LSP) and when it notices you posting to a bulletin board, it modifies your posting to include the spam text.
While Trojan.Peacomm (aka Storm Worm) received its alias because of unprecedented storms that battered Europe, the threat deserves the name more because Peacomm itself is the perfect storm. Peacomm is a combination of an open source email worm, a file infecting virus, a polymorphic packer, a spam relay, a rootkit, and a botnet that operates over a peer-to-peer network. In the history of malicious code, we have never seen a malicious threat that contains a handful of these characteristics let alone all of them. Thus, the perfect storm.
We've been tracking Peacomm over the week and wanted to provide a high level summary of how Peacomm spreads and some of the unique and interesting aspects of Peacomm, including how it uses peer-to-peer communication with the ultimate goal of sending out spam.
In late December and early January, the authors of Peacomm...
