Security Response: Showing posts tagged with Endpoint Protection (AntiVirus): Showing posts by Patrick Fitzgerald

At this stage we’ve looked at several features of Hydraq, including its obfuscation techniques and how it remains on an infected system. So, what control does the attacker have over a compromised system?

Backdoor Functionality

The ThreatExpert blog on Hydraq provides a comprehensive list of the features of this backdoor. The full article can be found here. The following list summarizes what this backdoor is capable of:

•    Adjust token privileges.
•    Check status of, control, and end processes and services.
•    Download a remote file, save it as %Temp%\mdm.exe, and then execute it.
•    Create, modify, and delete registry subkeys.
•    Retrieve a list of logical drives.
•    Read, write, execute, copy, change attributes, and...

While Trojan.Hydraq has been described as sophisticated, the methods used to obfuscate the code are relatively straight forward to deobfuscate.  Trojan.Hydraq has spaghetti code, which is a technique used to make analyzing the code of program more difficult.  The basic blocks of a function are identified, and then completely rearranged so one cannot easily follow the code in a linear fashion.  The rearranged code blocks are connected by jump instructions that connect them in the proper order during execution.

However, spaghetti code has been used in the past and, due to the simple method of implementation by Hydraq, is easily reversed.  We posted one of the first blogs about spaghetti code in malware back in 2006 in regards to LinkOptimizer.  Most security companies have tools to simply reverse this type of obfuscation in an automated fashion and even off...

Once again Zeus is up to its old tricks with a new twist.  The latest spam run informs users that their latest Social Security statement is available but it may contain errors.  The subject of the mail will be something like “Review annual Social Security statement“ and the body warns of a potential identity theft risk and asks you to review your annual statement at the link they provide.

Figure 1. An example of the Spam

If you follow this link you will arrive at the following page:
 

...

It’s well known that malware is growing more sophisticated, but few threats have had us scratching our heads like Trojan.Clampi. In order to remove the mystery around this threat, Security Response will be publishing a series of blogs talking about various aspects of Clampi. As an introduction, we’d like to present a brief overview of the threat.

Distribution
Trojan.Clampi has been around for a number of years now. During this time it has gone through many iterations, changing its code with a view to avoid detection and also to make it difficult for researchers to analyze.

From our analysis it seems that Clampi has mainly affected machines in the US. Clampi infection rates seem to be skewed towards countries where English is the primary language.  This may indicate the first infections were as a result of malicious drive-by attacks on...

Recently we came into possession of an Adobe Acrobat PDF file that upon opening drops and executes a malicious binary. It was quite clear that this PDF was exploiting some vulnerability in order to drop its payload. And, during the analysis it soon became apparent that this vulnerability was not one we had seen in the wild before. What was even more surprising was that this vulnerability affects Adobe Flash—not Adobe Reader as we initially suspected.

An issue in Adobe Flash is more serious. Most vulnerabilities are confined to one technology; for example, a vulnerability may affect a particular browser or a particular operating system, but it is rare for a vulnerability to span multiple platforms and products. This is not the case with Flash. Flash exists in all popular browsers and is also available in PDF documents. It is also largely operating system independent; therefore, the threat posed by this issue is not to be taken lightly. Flash has become an integral part...

Recently we have had a resurgence of people complaining that their online email accounts have been compromised and are being used to send spam. The reports all say the same thing: a message has been sent to every recipient in the Webmail address book, but the user had nothing to do with sending it.

In these types of situations, it usually turns out that a user’s Webmail login credentials are stolen during a phishing attack. The attacker will then use the stolen credentials to change the user’s account settings in order to allow the Webmail account to automatically send out spam email. Also, the attacker will modify or add an email signature so that every future email sent by the user includes additional spam text that the user will be unaware of. In addition, auto-responding vacation notifications are often turned on so that an automatic reply—including spam—is sent to any new incoming email.

The added spam signature text usually contains an...

Over the last few days many reports have emerged concerning a new variant of Downadup (a.k.a. Conficker), which has been dubbed Downadup.B++ or Conficker.C. While one could categorize Downadup into three variants (or even more), Symantec products will detect all known variants of Downadup as either Downadup.A or Downadup.B.

Unfortunately, in addition to differences in names, variant differentiation also exists between vendors. Some vendors have a different detection for every single Downadup binary—with a differing MD5 hash—resulting in more than 30 different Downadup “variants.” Some others don’t differentiate at all and just have a single name with no variant differentiation.

However, the important point regarding Downadup is not whether this is another variant, but rather is it a new variant; i.e., if it has been released recently. Fortunately, Downadup.B++ / Conficker.C is not a newly...