The Fragus exploit pack showed up on our radar a few months ago and has been steadily growing to become one of the most prevalent exploit packs being seen in the wild today by Symantec. It is similar to other popular exploit packs available—such as Unique, YES, Eleonore, and Liberty—but it brings some new and interesting features with it. Exploit packages are generally designed as a means to allow attackers to group and serve exploits from their website against the browsers of unsuspecting visitors. It is done in a nice GUI form, hosted on a Web server, and allows the attacker to generally choose which exploits to run. Once exploited, a final payload is served to the system. All of this is dished up in a control panel with some nice statistics on how successful the campaign has been.
We thought it might be interesting to provide some additional information on the Butterfly bot kit, following our blog published last week entitled The Mariposa Butterfly. We posted that blog in response to a report that half of the Fortune 100 companies have been compromised by a botnet dubbed Mariposa (Spanish for "butterfly"). The Butterfly bot kit's creator, known as Iserdo, markets the following features of the bot kit in the user manual supplied with the kit (the below snippet is taken directly from the user manual):
a) Features of bot base
1. Polymorphic code and strings
code related to bot functionality is encoded
everytime with different key, same goes for
strings
2. Installation into hidden location
installs into location where it is impossible
to access with windows explorer...
The Zeus crimeware toolkit has been around now for some time and is well established in the underground economy as being an easy-to-use and powerful tool for stealing personal data from remote systems. Initially linked to a group of criminals known as the “Rock Phish” group and targeting worldwide financial institutions, the toolkit has since become widely available both for sale and for free on underground forums.
The following video provides an insight into the Zeus crimeware toolkit, the underground economy, and distribution methods for the Trojan:
Twitter.com is once again in the media spotlight. This time security researchers at Arbor Networks have found what is thought to be a botnet using Twitter for its command-and-control operations. Obfuscated Twitter status messages (like the ones in the image below) are being used to send out new download links to malware that Symantec calls Downloader.Sninfs.
Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication. Twitter.com has already taken the appropriate action against accounts being used in this way, including suspending the account used in the example above. Our investigation and analysis of Downloader.Sninfs is ongoing but has so far shown that...
Symantec’s ongoing monitoring of Downadup (a.k.a. Conficker) has today resulted in the observation of a completely new variant being pushed out to systems that are already infected with Downadup. After taking into account the hype surrounding some other recent reports of variants of Downadup, Symantec is calling this new variant W32.Downadup.C.
Our analysis of the sample in question is still ongoing and at an early stage, but our initial findings have already revealed some interesting new attributes for this sample. It does not seem to be using any existing or new means to spread the threat to new machines. It is targeting antivirus software and security analysis tools with the aim of disabling them. Any processes found on...
With President Obama's inauguration being over, and with Valentine’s Day approaching, it’s no surprise that the Waledac gang have changed their theme to one of love. The Web page shown below is now appearing on some well-known W32.Waledac sites:
At the moment, a file (with the MD5 checksum 35b48da0e6ccfe75443f5f727a8f400a) is being distributed from these sites using one of the file names listed below. Symantec detects these files as...
Following on the heels of MayDay, another report indicates a new botnet that is thought to be twice the size of Storm. This claim, however, still has yet to be substantiated. We have contacted the company in question who released the report for further information, but so far have had no response. The botnet, dubbed Kraken, uses encrypted communications, encrypted payloads, polymorphic droppers, and may include redundancy to recover from a command-and-control server being taken offline. Symantec Security Response has come across a sample and has released a new detection named Backdoor.Spakrab to identify this malicious code. However, we have found that computers protected by Symantec antivirus products already have high coverage of this threat as Bloodhound.SONAR.1 and Hacktool.Spammer.
Kraken is thought to be infecting computers by using social engineering methods similar to those used by Storm. The malicious code is believed to be posing as an image file to the user,...
After a quiet “Storm” front overThanksgiving, the Peacomm gang may be trying to make up for it now. Therecent Spam run, offering Mrs. Clausestrip shows, demonstrates that they are back to using their adeptsocial engineering techniques to dupe people into infecting theircomputers.
However, the Peacomm gang doesn’t seem content with their recentspam run and have launched a new one. Symantec is currently observing aspam run to celebrate New Years, 2008. Below is a list of some subjectlines seen in the latest Spam run:
• A New 2008 Year song • A New Year song • A brand New 2008 Year • A brand New Year • A fun packed New Year 2008 bash • A new beginning, a new dawn! • As the New 2008 Year... • As the New Year... • As you embrace another New Year 2008 • Blasting New...
The countdown to Nov 11th and the most recently rumored "cyber Jihad"against the West has sparked some other questions. One in particular isthe comparison of their individual capabilities for possible denial ofservice (DoS) attacks.
Symantec’s analysis of the purported DoS tool to be used in this"E-Jihad," known as “E-Jihad 3.0,” has shown it to be crude andunsophisticated. First, it requires a user to manually install it ontoa computer. The user must then log into a “cyber-jihadist” Web sitethrough the tool, which sends back attack commands. The Web site inquestion is currently offline and we believe it may have been sinceJuly 2007. Symantec has detection for this tool as Hacktool.Dijah and has set up intrusion prevention system (IPS) blocking.
The recent release of the eagerly anticipated Bioshock game lead togamers getting another kind of shock. Bioshock is a hybrid first-personshooter/RPG from Irrational Games. A rumor had circulated that theBioshock game comes loaded with a rootkit. After investigation Symanteccan confirm that this is not true.
The rumor seems to have started after Microsoft’s RootkitRevealerfound a “SecuROM” registry setting that it found suspicious after theBioshock game had been installed. SecuROM just so happens to be ownedby Sony who after all had started the whole rootkit outrage with theirmusic CDs.
The secuROM installation creates a folder and a registry key with anull character which prevents users from accessing/deleting the keyfrom the registry. This is to assist with disc authentication andpiracy. It is however not a rootkit.
