Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts tagged with Endpoint Protection (AntiVirus) remove filter
Showing posts by Patrick Fitzgerald remove filter
Stuxnet の裏に潜むハッカー
Patrick Fitzgerald | 22 Jul 2010 | 0 comments

ここ数日、W32.Stuxnet がメディアに大きく注目されています。これは、この攻撃がどのようにして成功したか、そして今後どのように用いられるかをほぼ余すところなく示すケーススタディです。攻撃に成功すると、攻撃者は SCADA の設計や使用に関する機密文書を盗み出すことができます。

はじめに申し上げておきますが、この攻撃の背後にいるのが誰かはわかりませんし、これまでに攻撃の黒幕が見つかったことはほとんどありません。しかし、1 カ月前なら、誰かがこの種の攻撃のことを言い出しても、理論的には可能だと認めはするものの、そんな攻撃は映画の中の話だと大抵は片付けられてしまっていたでしょう。しかも、この種の攻撃が公開されることはほとんどありません。

この攻撃の背後にいるのは素人ではないことはわかっていますが、最終的な動機ははっきりしていません。

このケースの主な事実を以下に示します。

  • 攻撃者は、すべてのバージョンの Microsoft Windows が対象となるゼロディ脆弱性を発見して利用した。
  • 自分の存在を隠すためのルートキットを開発して使用した。
  • 産業用資産や産業用プロセスの管理に使用されるソフトウェアを標的にし、製品内部についての深い知識が利用されていた。
  • ハッカーは、悪意のない第三者企業からの正規のデジタル証明書を使用してファイルに署名できた。このデジタル証明書は 6 月に期限が切れましたが、7 月に新たに出現したドライバも別の企業からのデジタル証明書を使用してデジタル署名されていました。いずれの企業も台湾にオフィスがあります。ハッカーは、秘密鍵を盗んだり、ファイルに署名したりすることができました。攻撃者は、侵害したデジタル署名をさらに多く保持している可能性があります。
  • ハッカーは、標的を絞った攻撃手段は用いなかった。この脅威は USB キーに自己を複製し、どの Windows コンピュータにも感染することができます。

...

Read more
The Hackers Behind Stuxnet
Patrick Fitzgerald | 21 Jul 2010 | 0 comments

W32.Stuxnet has received a lot of media attention over the last few days. This incident provides almost a complete case study of how these attacks succeed and how they will probably be used in the future. A successful attack allowed the attacker to steal confidential SCADA design and usage documents.

Let’s start by saying we don’t know who is behind the attack, and historically discovering this is very rare. However, if someone proposed this type of attack a month ago, while we would have agreed it was theoretically possible, most would have dismissed such an attack as a movie-plot scenario. Furthermore, attacks of this nature are rarely disclosed publicly.

We know that the people behind this attack aren’t amateurs, but their final motive is unclear.

The principal facts in this case are:

  • The attackers discovered and used a zero-day...
Read more
Qakbot Steals 2GB of Confidential Data per Week
Patrick Fitzgerald | 22 Apr 2010 | 0 comments

Our previous blog entries about W32.Qakbot gave details about how the threat works, how it spreads, and its capabilities for stealing information. This entry focuses on the scale and type of data Qakbot has been successful in acquiring.

Stealing data

Qakbot monitors compromised computers for sensitive information and uploads the stolen data to an FTP server. The FTP server information is downloaded from the botnet and can change over time. Here is an example of a recent FTP configuration:

exec=!var ftphost_1=ftp.df[REMOVED]
exec=!var ftphost_2=web1[REMOVED]
exec=!var ftphost_3=ftp.su[REMOVED]
exec=!var ftphost_4=ftp.ab[REMOVED]
exec=!var ftphost_5=ftp.51[REMOVED]
exec=!var ftphost_6=ftp.fan[REMOVED]

While analyzing this threat we gained...

Read more
Vietnamese the Latest Target in a Politically Motivated Attack
Patrick Fitzgerald | 31 Mar 2010 | 0 comments

On Monday, March 29, 2010, bkis.com published a blog describing malware that masqueraded as the Adobe Reader update program. This tactic is an attempt to run a malicious payload while avoiding detection. As we looked into this sample (detected as Trojan.Dosvine) in more detail, it became clear that this threat is involved in a DDoS (Distributed Denial of Service) attack on the Vietnamese online community. In a related article, Google reported that “compromised keyboard language software and possibly other legitimate software” is being used to infect Vietnamese Windows computers.

Initial reports on this attack have compared this to the Trojan.Hydraq/Aurora incident from earlier this year. For those not familiar with the Hydraq incident, everything you need to know can be found in our...

Read more
Trojan.Hydraq – Typhoon In A Teacup
Patrick Fitzgerald | 29 Jan 2010 | 0 comments

If you have been following this series on Trojan.Hydraq over the last week you may have noticed that the blog entries have been well, boring. Because of its profile in the media and varying assessments of the threat posed by and the complexity of Trojan.Hydraq we decided to present the facts of the threat.

Threats make their way into mainstream media for various reasons. Sometimes it’s the effectiveness of a threat or the elegance associated with a particular approach taken by a piece of malware. Some use near impenetrable packers to make analysis extremely difficult and some have novel approaches to make the malware more robust and harder to take down.

2010 saw Trojan.Hydraq hit the media. This incident was dubbed “Operation Aurora”. In case there is still any confusion at this stage, the malware used in the Aurora attack is Trojan.Hydraq.

Trojan....

Read more
Trojan.Hydraq's Backdoor Capabilities
Patrick Fitzgerald | 28 Jan 2010 | 0 comments

At this stage we’ve looked at several features of Hydraq, including its obfuscation techniques and how it remains on an infected system. So, what control does the attacker have over a compromised system?

Backdoor Functionality

The ThreatExpert blog on Hydraq provides a comprehensive list of the features of this backdoor. The full article can be found here. The following list summarizes what this backdoor is capable of:

•    Adjust token privileges.
•    Check status of, control, and end processes and services.
•    Download a remote file, save it as %Temp%\mdm.exe, and then execute it.
•    Create, modify, and delete registry subkeys.
•    Retrieve a list of logical drives.
•    Read, write, execute, copy, change attributes, and...

Read more
How Trojan.Hydraq Stays On Your Computer
Patrick Fitzgerald | 26 Jan 2010 | 0 comments

Yesterday’s blog spoke about the obfuscation techniques employed by Trojan.Hydraq.  As it turns out these techniques are not new, had been used by various malware in the past, and are not too tricky to get around.  This entry examines the techniques employed by this threat in order to stay active on a compromised computer and survive a restart.

Hydraq takes advantage of the Svchost.exe process in Windows.  When a Windows system starts up it checks the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

These entries are referred to as service groups.  The information under this key will have all the information required by the operating system in order to load the service group into memory.  The following screenshot shows the services loaded into a particular instance of svchost on a clean computer:

...

Read more
Seeing Past Trojan.Hydraq’s Obfuscation
Patrick Fitzgerald | 25 Jan 2010 | 0 comments

While Trojan.Hydraq has been described as sophisticated, the methods used to obfuscate the code are relatively straight forward to deobfuscate.  Trojan.Hydraq has spaghetti code, which is a technique used to make analyzing the code of program more difficult.  The basic blocks of a function are identified, and then completely rearranged so one cannot easily follow the code in a linear fashion.  The rearranged code blocks are connected by jump instructions that connect them in the proper order during execution.

However, spaghetti code has been used in the past and, due to the simple method of implementation by Hydraq, is easily reversed.  We posted one of the first blogs about spaghetti code in malware back in 2006 in regards to LinkOptimizer.  Most security companies have tools to simply reverse this type of obfuscation in an automated fashion and even off...

Read more
Metasploit Releases Module for IIS Local File Include Vulnerability
Patrick Fitzgerald | 29 Dec 2009 | 0 comments

Over the last few days there have been many articles written about an issue in Microsoft’s Internet Information Services (IIS).  This issue allows an attacker to bypass normal security restrictions when uploading a file to a Web application running on a vulnerable version of IIS.  This issue could allow an attacker to upload and execute arbitrary code with the privileges of the Web server.

There are varying reports on the severity of this issue, but according to Microsoft only poorly configured Web servers are at risk from this issue:

“An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration.”

...

Read more
Zeus' Social Security Statement Spam Campaign
Patrick Fitzgerald | 23 Nov 2009 | 0 comments

Once again Zeus is up to its old tricks with a new twist.  The latest spam run informs users that their latest Social Security statement is available but it may contain errors.  The subject of the mail will be something like “Review annual Social Security statement“ and the body warns of a potential identity theft risk and asks you to review your annual statement at the link they provide.

image1.png
Figure 1. An example of the Spam

If you follow this link you will arrive at the following page:
 
image2.png
...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,916