Because PDF-related threats are on the increase in the wild, my colleagues and I have been focusing on the investigation into new ways to stop these threats. The majority of PDF-related exploits can be categorized into two areas.
The first method involves camouflaging the PDF file structure, and the second involves obfuscating the enclosed JavaScript. With the former type of threat, filters (such as an ASCIIHexDecode filter) are employed to change the file content to confuse antivirus engines and disable the use of signature detections. With the latter, it encrypts or obfuscates the exploit code injected into the PDF file, thereby making the exploit code impossible to differentiate from the clean JavaScript.
Between these two types of exploit, the vast majority of threats that are out in the wild are of the obfuscated JavaScript variety. That’s because it’s difficult to change the PDF file while adhering to the PDF file format, thus limiting the actions...
Since the start of this past September, mydaily tasks have included investigating Trojan.Farfli, which is updatedfrequently. On the dark side of things, the author of the Trojan hasdaily tasks that are closely related to mine: updating Trojan.Farfli.We have seen Trojan.Farfli updated three times a day on average andsometimes as much as seven times a day, and the total number ofvariants has reached more than 300 since July. In comparison, Trojansdiscovered around the same time have far fewer variants. For example,Trojan.Hachilem and Trojan.Srizbi have only 150 variants and 40variants, respectively. Precisely speaking, because there are filesdropped by this Trojan that are polymorphic there are hundred andhundred variants of this Trojan.
Why does the author update the threat so often? Well, we don’t knowexactly what the motive is, but the most likely reason is for monetarypurposes. An infected computer will access predefined Web sites withthe author’s...
In the blog entry MS Needs Your Credit Card Details?, we detailed the behavior of the Kardphisher Trojan,which "attempts to steal credit card numbers by tricking the user intoentering their credit card details to activate Windows." This entryexplains how to remove the Trojan.
Removal instructions
1. Reboot the infected machine. You can do that by simply clickingthe "No" and "Next" buttons, or by doing a good-old fashioned hardreboot.
2. While Windows is starting, press the function 8 key (F8 key) to enter Safe Mode.
3. Click Start > Run.
4. Type regedit
5. Click OK.
6. Navigate to and delete these subkeys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\...
Recently we came across an interesting Trojan sample, detected by Symantec as Trojan.Kardphisher.The Trojan is not very technical - it's really just another classicsocial-engineering attack. What makes it interesting is that the authorhas obviously taken great pains to make it appear legitimate.
When you restart your PC after the Trojan is installed, this window appears:
You can only choose only Yes or No. You can't run Task Manager or anyother applications. If you choose No your PC will be shut downimmediately. If you choose Yes you'll see this image:
