Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts tagged with Endpoint Protection (AntiVirus) remove filter
Showing posts by Eoin Ward remove filter
クッキースタッフィングと W32.Pilleuz
Eoin Ward | 26 Nov 2010 | 0 comments

1 年ほど前から、シマンテックは Mariposa ボットネットの流行と沈静化について当ブログで報告してきました(この脅威の識別名は W32.Pilleuz)。今回は、この脅威の注目すべき特徴である「クッキースタッフィング(cookie stuffing)」について説明しようと思います。

そのおいしそうな名前のとおり、クッキースタッフィングは、マルウェア作者たちが利用する「おいしい」金儲けの巧妙な手段のひとつです。この手法を説明するために、まず W32.Pilleuz が利用しているマーケティングモデルであるアフィリエイトマーケティングを見てみましょう。

たとえば、私はトライアスロンが趣味で、symtriclub.com という Web サイトを持つシマンテックトライアスロンクラブに所属していると仮定しましょう。シマンテックトライアスロンクラブのスポンサーは架空の自転車店で、examplebikestore.com というサイトを運営しています。私が symtriclub.com を閲覧中に examplebikestore.com へのリンクをクリックして買い物をすると、このトライアスロンクラブは少額ながら報酬を受け取ります。クラブの Web サイトに自転車店の広告が掲載され、その広告が成果をあげたことになるからです。

上に示した例では、トライアスロンクラブが自転車店のアフィリエイトであり、ここでの買い物が「有効取引」ということになります。有効取引は買い物とは限らず、ニュースレターやアカウントの登録だけでいい場合もあります。Web サイトにはいくつアフィリエイトを設置してもよく、アフィリエイトによって報酬の発生方法もさまざまです。「あと...

Read more
Cookie Stuffing and W32.Pilleuz
Eoin Ward | 25 Nov 2010 | 0 comments

Over the last year, Symantec has blogged on the rise and fall of the Mariposa botnet. (What we detect as W32.Pilleuz.) Today, we’re going to talk about an interesting aspect of this threat—the ability to perform “cookie stuffing”. 

As delicious as it sounds, cookie stuffing is one of the subtler money spinning techniques used by malware writers. In order to explain the technique, let’s first look at the marketing model upon which it relies—affiliate marketing.

Let’s say I enjoy triathlons and that I’m a member of a “Symantec Triathlon Club” with the Web site symtriclub.com. This club is sponsored by fictional bike store that runs examplebikestore.com. If I see a link to examplebikestore.com while on symtriclub.com, click on it, and then make a...

Read more
44 Million Stolen Gaming Credentials Uncovered
Eoin Ward | 26 May 2010 | 0 comments

In previous blogs, Symantec has highlighted threats that steal user data. We recently analyzed a new sample submitted to Symantec and came across a server hosting the credentials of 44 million stolen gaming accounts. What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck.

This particular database server we uncovered seems very much to be the heart of the operation—part of a distributed password checker aimed at Chinese gaming websites. The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games....

Read more
Trojan.Gpcoder Revisited
Eoin Ward | 13 Jun 2008 | 0 comments

Trojan.Gpcoder is a particularly nasty threat that uses public key cryptography to encrypt files on a person’s computer and subsequently requests payment from the user in order to recover the files. It has had many variants over the years. While analyzing a recent version, I observed that it uses a short key. Would this make it possible to decrypt the infected files?

Public key cryptography uses two keys—a public key and a private key. In Trojan.Gpcoder the public key is encoded into the virus and is used to encrypt files. The author of Trojan.Gpcoder holds the private key which is used to decrypt files.

Last year we detected Trojan.Gpcoder.E. This version of Trojan.Gpcoder claimed to use a public key algorithm called RSA-4096 to encrypt files (in fact, it used a weaker algorithm). More recently we detected a new variant, ...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,843