The first iPhone worm, known as iPhoneOS.Ikee, recently hit the news everywhere. The purpose of this worm was to show that jailbroken iPhones had a flaw that could be easily exploited. The consequences of this worm were minor since the author decided to simply Rickroll users who became victims of this attack. However, there were many warnings that the publicly released code could easily be altered so that consequences were not so benign.
Given the implications—and this being a hot topic—reports are surfacing about a hacktool that can be used to attack jailbroken iPhones. This tool is taking advantage of the same default SSH password that iPhoneOS.Ikee does, but put plainly, this is not another worm. We’re looking at...
On the heels of a similar iPhone attack by a Dutch teenager, an Australian hacker (using the same technique) has written the first iPhone worm for jailbroken iPhones. The worm has been dubbed “Ikee” and uses the default SSH password of jailbroken iPhones to log in and spread. Please note that this worm does not impact iPhones that have not been jailbroken.
Many users who have jailbroken their iPhones in order to customize them have not changed their SSH password, allowing others to log in to their phone. In the case of Ikee, the worm scans random IP ranges and also specifically targets Optus, Vodafone, and Telstra's IP ranges, which are the common telephony providers in Australia. Once a vulnerable iPhone is found, the worm changes the wallpaper to a picture of Rick Astley (a prank known as Rickrolling), deletes the SSH daemon, and begins scanning the network for other vulnerable phones. Note that some of these telephony networks use NAT (network...
Malware authors often leave hidden messages in files for analysts to find or for other malware authors to see. However, finding a curse on my whole family in a flash exploit file came as somewhat of a surprise!
The file in question was being distributed on the Internet circa June of this year and was being hosted on some Chinese domains. After decompressing the file and extracting the ActionScript I saw some Chinese characters used within the script. I don’t speak Chinese myself, so I had one of our engineers who does translate the message:
This roughly translates to:
“Dadong declares that: This file is used only for internal technical research, if you decrypt it your whole family will die, if you use it as a part of a Trojan your whole family will die also! If you use this file illegally you take...
Koobface is a worm that infects users by using social engineering attacks. It spreads by abusing social networking websites such as Facebook, Twitter, and MySpace, or by employing search engine optimization (SEO) techniques to lure potential victims to malicious sites.
We have been monitoring Koobface for a while now, and here we have some findings based on analyzing data collected over three weeks. These findings shed some light onto the modus operandi of the gang behind Koobface and the effectiveness of its techniques.
The infrastructure used by the Koobface gang is relatively simple: a central redirection server redirects victims to one of the infected bots where the actual social engineering attack takes place. While the central redirection point has been actively targeted by take-down requests, the Koobface gang has so far been quick to replace suspended domain names and blacklisted IPs with new ones. The figure below shows the timeline of some of the...
Fireworks weren't the only thing going off on the 4th of July. Several U.S. and South Korean government, financial, and media websites were attacked and at different times, were offline. There's been a lot of speculation about the source of the attacks, but here is what we know so far.
We've observed a number of malware components that are responsible for the attacks. W32.Dozer, Trojan.Dozer, W32.Mydoom.A@mm, and W32.Mytob!gen work in tandem to both spread and attack. W32.Dozer, a dropper that contains all the other components within it, is sent by W32.Mytob!gen to email addresses it...
Symantec Security Response has discovered a mass-mailing worm using Michael Jackson's death as a bait. The worm sends out spam emails with the subject “Remembering Michael Jackson” and an attachment named “Michael songs and pictures.zip.” The .zip file contains another file called “MichaelJacksonsongsandpictures.doc.exe,” which is a copy of the worm that is executed on the user’s machine when the file is opened.
Symantec has detection for this worm as W32.Ackantta.F@mm. It is important to keep in mind that W32.Ackantta.F@mm spreads not only through email, but also via removable drives using autorun.inf.
Below is a snapshot of the email that W32.Ackantta.F@mm sends out:
So says the spam that couldn’t spell Conficker correctly. The spam noted that Symantec was working with Microsoft to create a patch for "Conflicker." According to the spam message, Conficker is also called "Troj/Brisv.A." Wow!
The spam is accompanied by a file named "remtool_conf.exe." The spammers have taken an extra step ahead of just spreading their Trojans. This file is actually a Symantec fixtool for Trojan.Brisv bundled with the Trojan. So, when someone runs this file they actually run the Symantec Brisv fixtool, along with the Trojan completing its task. In this case, the dropped Trojan contacts a remote site in order to download another piece of malware, which is currently detected by Symantec products as Suspicious.MH690.A.
Below is a screenshot of the alleged fixtool file, which even uses the Symantec icon:
Andrea Lelli previously posted an analysis of a threat dubbed Trojan.Ransomlock. This threat was capable of locking out a user’s desktop and would only relinquish its hold when presented with an unlock code. The code, of course, could only be obtained from a premium rate text number. An infected user would be presented with a screen resembling the following on a compromised machine:
When the blog was posted, Symantec also released a tool that could be used to generate the unlock code. As could be expected, soon after this tool was released the attackers updated their code generation algorithm. In response, Symantec has created an online version of the tool, which handles all known...
A new variant of this threat, called W32.Downadup.B, appeared on December 30th and can not only propagate by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, but can also spread through corporate networks by infecting USB sticks and accessing weak passwords. These propagation methods are nothing new; W32.Spybot, W32.Randex, and W32.Mytob variants all use almost identical methods to spread, but this variant requires more effort to protect corporate networks.
It's nearly been a couple of weeks since Microsoft released their patch for the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). This problem was rated as such a serious risk that Microsoft took the extraordinary step to release an out-of-band patch for it.
There was much speculation as to how and when it was going to be used in worms or other malicious code. Unfortunately, we didn't have to wait long for the first one to appear. First we saw Trojan.Gimmiv.A, which appeared to be already in the wild when the patch was released. However, that Trojan never really got around very far due to its weak method of propagation—manually controlled by the attackers through a channel that was quickly shut down.
Well, its that time of year again and as to be expected, malicious code authors are using the occasion to try to lure unsuspecting folks (are there still any around?) into installing their wares. Two examples of spammed emails we have seen so far have these subject lines:
God bless America Fabulous Independence Day firework
The email body contains a link that follows such enticing phrases as "America for You and Me" and "Happy birthday, America!" The links lead to Web pages containing an image of a video of fireworks. Clicking on the image unsurprisingly results in a Trojan.Peacomm.D (a.k.a. Storm) detection, as well as an iframe leading to another file detected as Downloader. Two "bangers " for the price of...
Social networking sites with large userbases are attracting more attention as malicious code propagationvectors these days. There have already been a few worms that havecirculated through social networking sites.
This isn’t the first worm on Orkut, and the worm works in a similarmanner to its predecessors by using “scraps”- messages considered partof a “scrapbook”. A user receives a scrap from an acquaintancecontaining a pornographic image that is designed to look like a Flashmovie. If the user clicks on the image file, in an attempt to play the“movie”, they are directed to a malicious Web site.
Let us look at some of the steps in the infection process in more detail.
A copy of the malicious scrap is sent to all members listed in the user’s friend list The user clicks the Flash-like image, which redirects to a maliciousWeb site. The malicious Web site contains JavaScript which composes thesame scrap and sends it to all...
Emperor Entertainment Group: From sex photo scandal to Web site being hacked, key word: protect the data on your hard drive.
It's probably not the best way to advertise privacy protection, butit's indeed something that should ring a bell for those who leave theirportable devices unattended or unsecured.
Rumor has it that Edison Chan, the popular celebrity from Hong Kong,had data stolen from his personal laptop. Now under normalcircumstances, this would be bad enough. However, it turns out Mr. Chanhad taken hundreds of pictures and videos of over 14 female celebritiesin various states of dress and involved in various sexual acts, andstored this data on his computer. The stolen data has since spreadquickly over the Internet.
Earlier today the Emperor Entertainment Group's Web site - the groupthat several of the victims have contracts with - was hacked by someonecalling themselves "blspi" with the following message in Chinese, "...
While we often report on the number of infections we’re seeing for a threat and what our honeynets are catching, we haven’t often shared the numbers on the amount of malicious code we’re seeing via Symantec’s antispam solutions. With Trojan.Peacomm still very much on the prowl and repeatedly blasting spam in short bursts of five to ten minutes, we thought we’d share some of our statistics on the malware we see being spammed around the globe. All of the numbers below are from December 22, 2006 to January 22, 2007.
A new worm has been discovered that targets Skype, the voice-over-IP (VoIP) telephone application. The worm uses the Skype Control API to send text chat messages containing a malicious link to other Skype users. We highlighted the possibility of the Skype API being used as infection vector for malicious code in a blog article in May of this year: http://www.symantec.com/enterprise/security_response/weblog/2006/05/vulnerabilities_of_the_skype_a.html
However, in this case the security measures implemented by Skype have not been bypassed programmatically. Instead, the worm pleads with the user via a pop-up message box to "Allow this program in skype."
