While looking through some recent customer submissions a particular filename caught my attention. It was called “googlewaveinvitegenerator.exe”. Google Wave is a new communication application being developed by Google. Many people who missed the initial sign up for this application are now seeking invites to the service. Certain bad guys have latched onto this and are attempting to take advantage of the situation to push malware. In this case the malware in question is Backdoor.Tidserv. It’s also worth pointing out Google Wave was only selected because of its current popularity. Using a trusted brand like this also increases the chance of success for the attacker. This technique is something we see all of the time.
This particular campaign tries to trick people who want to get into the Google Wave community by promising not only an application that generates Google Wave invites, but also untold riches by selling these invites to other people who want to...
It’s well known that malware is growing more sophisticated, but few threats have had us scratching our heads like Trojan.Clampi. In order to remove the mystery around this threat, Security Response will be publishing a series of blogs talking about various aspects of Clampi. As an introduction, we’d like to present a brief overview of the threat.
Distribution
Trojan.Clampi has been around for a number of years now. During this time it has gone through many iterations, changing its code with a view to avoid detection and also to make it difficult for researchers to analyze.
From our analysis it seems that Clampi has mainly affected machines in the US. Clampi infection rates seem to be skewed towards countries where English is the primary language. This may indicate the first infections were as a result of malicious drive-by attacks on...
A few days ago we wrote about how Downloader.Sninfs is using Twitter as part of its command and control infrastructure. How the threat uses this is quite interesting. Here’s an example of a Twitter account used by this threat:
This is a pretty standard Twitter page, but the message is unusual. It turns out that this message is a base64-encoded string that contains two URLs. These URLs are:
Recently we came into possession of an Adobe Acrobat PDF file that upon opening drops and executes a malicious binary. It was quite clear that this PDF was exploiting some vulnerability in order to drop its payload. And, during the analysis it soon became apparent that this vulnerability was not one we had seen in the wild before. What was even more surprising was that this vulnerability affects Adobe Flash—not Adobe Reader as we initially suspected.
An issue in Adobe Flash is more serious. Most vulnerabilities are confined to one technology; for example, a vulnerability may affect a particular browser or a particular operating system, but it is rare for a vulnerability to span multiple platforms and products. This is not the case with Flash. Flash exists in all popular browsers and is also available in PDF documents. It is also largely operating system independent; therefore, the threat posed by this issue is not to be taken lightly. Flash has become an integral part...
Once again we find ourselves sucked into a maelstrom of questions and uncertainty surrounding the threat W32.Downadup, which is now a household name (just in case you haven't heard of it, it’s also known as Conficker). I’m sure that the people working in the security industry can marvel at their loved ones finally taking an interest in their job, which for once has gone past feigned interest and polite smiles. So, what have the little scamps behind W32.Downadup been up to this time?
Yesterday, Brian Ewell wrote about new developments regarding W32.Downadup in his blog entry entitled Downadup + Waledac. That blog mentioned some differences in functionality and put forward a possible association with Waledac. Today’s post will provide some more details about these differences.
We observed W32.Downadup downloading a binary over its...
Over the last few days many reports have emerged concerning a new variant of Downadup (a.k.a. Conficker), which has been dubbed Downadup.B++ or Conficker.C. While one could categorize Downadup into three variants (or even more), Symantec products will detect all known variants of Downadup as either Downadup.A or Downadup.B.
Unfortunately, in addition to differences in names, variant differentiation also exists between vendors. Some vendors have a different detection for every single Downadup binary—with a differing MD5 hash—resulting in more than 30 different Downadup “variants.” Some others don’t differentiate at all and just have a single name with no variant differentiation.
However, the important point regarding Downadup is not whether this is another variant, but rather is it a new variant; i.e., if it has been released recently. Fortunately, Downadup.B++ / Conficker.C is not a newly...
Polymorphic file-infectors have been around for a long time, with possibly the first one surfacing in 1990. This has proven to be an effective technique that malicious code authors have employed to give their code a better chance of survival in the wild. Since this type of threat showed up there has been a struggle between security vendors and malware writers. Every advance in antivirus prompted the malicious code authors to come up with new and imaginative ways to thwart these efforts and vice-versa.
Currently we are seeing an outbreak of a particularly sinister file-infector, known as W32.Virut.CF. This threat has already compromised corporate networks and is proving difficult to remove from infected networks. Once this threat infiltrates a network it can spread quite quickly using open network shares. So, what is it that sets...
Up until recently, Waledac’s main purpose had been to peddle performance-enhancing pharmaceuticals by sending large runs of unsolicited mail to thousands of unwilling recipients. Today we noticed a shift in this trend. In addition to sending large volumes of spam, Waledac is now distributing misleading applications. In our testing we noticed that the misleading application that is installed this time around is MS AntiSpyware 2009. You can see the standard social engineering techniques used by this program in the following screenshot:
While somewhat surprising, it’s not entirely unexpected that this worm is...
Editor's Note: This is another installment of a multi-part series on specific and interesting aspects of W32.Downadup.
Downadup has been the most prolific worm that we have seen for some time. While as a part of this series we are documenting some of the more interesting technical sides of this threat, other non-technical aspects of this threat also present noteworthy issues. The map below shows the top 10 countries rated by infection prevalence:
Figure 1.Top 10 countries ranked by W32.Downadup infections
Malware is becoming increasingly complex. Take Rustock.B for example: this threat goes above and beyond to prevent analysis and detection. A blog article is probably too small of a space to describe everything Rustock does technically, but you shouldn’t be surprised, considering its complexity, that Rustock has a clear financial motive. In particular, apart from hiding itself with advanced rootkit techniques, the primary goal of this threat is to send a lot of spam. Because we capture spam such as this, it allows us to update our email security products, such as Brightmail AntiSpam. In addition to pharmaceuticals, mortgages, and imitation product spam, Rustock has also sent stock-based spam. Stock-based spam usually consists of some random text, followed by an image, followed by more random text. Below is an example of one of the...
Many of the new threats seen today aren’t advancements in their own right; rather, they just take advantage of advancements in technology. For example, VBScript enables programs to be written quickly, but also makes writing malware extremely easy. Remember VBS.LoveLetter, also known as the “I-Love-You” worm? This was a mass-mailing worm that ultimately ended up causing millions of dollars worth of damage because of crashed servers, not to mention the punitive damages caused by files being overwritten. While VBScripts gave administrators the ability to perform more robust tasks via scripting, developers need to be aware of the possible detrimental effects of these new technologies. For example, after VBS worms became widespread, Microsoft forced user consent before a script could harness Microsoft Outlook to send itself, thereby neutering that attack vector.
Another seemingly innocuous feature has been extremely useful to some malware writers. The advent of...
