Security Response

(Note: This blog was written on September 2. We decided to postpone publishing it due to an ongoing joint effort to shut down servers and block domain names. The variant studied is not the latest but accurately reflects the functionalities of the threat.)

Trojan.Bamital appeared in the summer of 2010. The threat really became prevalent at the beginning of 2011, shortly after the discovery of the B variant. Bamital hooks into various browsers in order to modify search results and redirect the user to advertisement links. In this blog, we’re going to dissect a recent variant of Bamital to understand how the click-fraud scheme is implemented.

Installation

Bamital comes as a UPX-packed executable. When executed, it drops two components to the %CommonFiles% folder...

A few months ago, at least prior to February 7th, Sality operators pushed a new malware onto their P2P network of infected bots. The malware in question hooks into Internet Explorer using its standard COM interface, and gathers credentials submitted via web forms. February’s variant treated Facebook, Blogger, and Myspace logon information differently: on top of stealing and sending the username/password to a Command and Control (C&C) server, the information was also dumped to an encrypted file, onto the user’s compromised computer. At that time, the plausible guess was that these credentials would be used by upcoming malware – the Sality programmers are very imaginative.

This was confirmed last weekend. The newest Sality package contained a new malware, on top of their usual spam/web relays. The...

Back in the spring of 2010, I blogged about W32.Sality and the decentralized P2P botnet made up by hosts infected by Sality. The botnet is used to propagate URLs pointing to more malware. Recently, the gang behind Sality has distributed a tool to brute force Voice over IP (VoIP) account credentials on systems that use Session Initiation Protocol (SIP). SIP is a protocol widely used to initiate and control voice and video calls made over the Internet.

Let’s rewind back to November 2010. At that time, a few SIP-related blogs and mailing lists reported attacks against SIP...

In this blog, I’m going to provide extra details about the PLC infection process and how an operator can determine if their PLC is infected.   

First, recall that Stuxnet’s end-goal is the infection of particular types of Simatic PLCs. In order to achieve this goal, a Simatic DLL is replaced and acts as a proxy between the Programming Environment and the PLC devices. That DLL is able to do the following:

• monitor communication between the PLC and the Programming Environment
• infect PLCs
• mask potential PLC infections

A sequence consists of malicious blocks as well as infection stubs for already existing PLC blocks; Stuxnet contains two types of sequences.

Sequences A & B

The first type consists of two sequences, A and B. Each contain about 20 blocks, and specifically target PLC 315-2 by having specific system data blocks. See the Dossier for more information....