Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Endpoint Protection (AntiVirus)
Showing posts in English
Stuxnet 0.5: The Missing Link
Symantec Security Response | 02 May 2013 19:59:01 GMT | 0 comments

In July 2010, Stuxnet, one of the most sophisticated pieces of malware ever written, was discovered in the wild. This complex malware took many months to analyze and the eventual payload significantly raised the bar in terms of cyber threat capability. Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure. The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now.

Symantec Security Response has recently analyzed a sample of Stuxnet that predates version 1.001. Analysis of this code reveals the latest discovery to be version 0.5 and that it was in operation between 2007 and 2009 with indications that it, or even earlier variants of it, were in operation as early as 2005.

Key discoveries found while analyzing Stuxnet 0.5:

  • Oldest variant of Stuxnet ever found...
Read more
Stuxnet 0.5: Disrupting Uranium Processing at Natanz
Symantec Security Response | 02 May 2013 19:59:03 GMT | 0 comments

When Symantec first disclosed details about how Stuxnet affected the programmable logic controllers (PLCs) used for uranium enrichment in Natanz, Iran, we documented two attack strategies. We also noted that the one targeting 417 PLC devices was disabled. We have now obtained an earlier version of Stuxnet that contains the fully operational 417 PLC device attack code.

After painstaking analysis, we can now confirm that the 417 PLC device attack code modifies the state of the valves used to feed UF6 (uranium hexafluoride gas) into the uranium enrichment centrifuges. The attack essentially closes the valves causing disruption to the flow and possibly destruction of the centrifuges and related systems. In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values...

Read more
Stuxnet 0.5: How It Evolved
Symantec Security Response | 02 May 2013 19:59:06 GMT | 0 comments

Introduction

Stuxnet stores a version number within its code. Analysis of this code reveals the latest discovery to be version 0.5. Based on website domain registration details, Stuxnet 0.5 may have been in operation as early as 2005. The exact date this version began circulating in the wild is unclear. What is known is that the date this early variant stopped compromising computers was July 4, 2009—just 12 days after version 1 was created.
 

Table 1. Known Stuxnet variants, based on main module PE timestamps
 

This blog focuses on the Stuxnet timeline, how Stuxnet 0.5 fits into the attack timeline, and its evolution to Stuxnet version 1.
 

Evolution

Stuxnet 0.5 is...

Read more
Stuxnet 0.5: Command-and-Control Capabilities
Symantec Security Response | 02 May 2013 19:59:07 GMT | 0 comments

Similar to Stuxnet 1.x versions, Stuxnet 0.5 has limited command-and-control (C&C) ability. In particular, Stuxnet 0.5 does not provide fine-grained control to its authors. Instead, Stuxnet 0.5 can only download new code and update itself. Stuxnet needs to spread on isolated networks and therefore has been designed to be autonomous, reducing the need to have robust and fine-grained C&C ability. Stuxnet 0.5 also uses a secondary peer-to-peer mechanism in order to propagate code updates to peers on networks inaccessible to the broader Internet.

Stuxnet 0.5 has four C&C servers, all of which are now either unavailable or have since been registered by an unrelated party.

Interestingly, Stuxnet 0.5 is programmed to stop contacting the C&C server after January 11, 2009, even though the threat is programmed to stop spreading several months later after July 4, 2009.

The C&C server domains were created in 2005 and all displayed the same front page...

Read more
Ichitaro Vulnerability: Another Zero-Day Exploit in the Wild
Joji Hamada | 02 May 2013 19:59:08 GMT | 0 comments

Contributor: Masaki Suenaga

We have already seen a handful of zero-day vulnerabilities being exploited in the wild this year. These vulnerabilities have affected users globally leaving both individuals and organizations scrambling to protect their computers. While this does become tiring, this is not the time to rest or become complacent, especially for those using the Japanese word processor software, Ichitaro.

JustSystems has just announced a vulnerability that is currently being exploited in the wild. Symantec has seen the exploitation in the wild since mid-January, but it has been limited to users in Japan. The attacks using the exploit typically involve archive files containing the following files:

  • A clean Ichitaro document (.jtd file)
  • A modified JSMISC32.DLL file with a hidden attribute
  • A malicious DLL file with a hidden attribute and a .jtd file...
Read more
APT1: Additional Comment Crew Indicators of Compromise
Symantec Security Response | 02 May 2013 19:59:12 GMT | 0 comments

Mandiant recently released a document containing indicators of compromise (IOCs) related to multiple espionage campaigns by a group known as the Comment Crew. Symantec has been actively tracking this group for six years while maintaining our own database of indicators. From our investigations we have collected thousands of indicators related to Comment Crew.

To help increase public awareness, we have decided to release hundreds of additional Comment Crew indicators to those already released. These are indicators that have been seen within the past year.

Symantec products already protect against the artifacts related to these indicators and many of these artifacts have already been shared with the security community.

You can find these indicators in the following paper:...

Read more
How Attackers Steal Private Keys from Digital Certificates
Hiroshi Shinotsuka | 02 May 2013 19:59:13 GMT | 0 comments

Regular readers of the Symantec blog may sometimes read blogs that mention a fraudulent file that is signed with a valid digital certificate or that an attacker signed their malware with a stolen digital certificate.

You may recall that the creators of Stuxnet, arguably the most notorious malware in history, signed it using the private keys of valid digital certificates of well-known companies.

Digital certificates are significant because a file with a digital certificate can be checked to see who authored it and to make sure it was not altered. Moreover, some versions of Windows display a dialog box when a file that has no digital signature is opened. If an attacker signs malware with the stolen private key from a digital certificate, Windows will execute the file in many cases, except if the file is downloaded from the Internet using a Web browser.

How does an...

Read more
Malicious Mandiant Report in Circulation
Joji Hamada | 02 May 2013 19:59:14 GMT | 0 comments

The report, APT1: Exposing One of China's Cyber Espionage Units, published by Mandiant earlier this week has drawn worldwide attention by both the security world and the general public. This interest is due to the conclusion the report has drawn regarding the origin of targeted attacks, using advanced persistent threats (APT), performed by a certain group of attackers dubbed the Comment Crew. You can read Symantec’s response to the report here.

Today, Symantec has discovered someone performing targeted attacks is using the report as bait in an attempt to infect those who might be interested in reading it. The email we have come across is in Japanese, but this does not mean there are no emails in other languages spreading in the wild. The email purports to be from someone...

Read more
APT1: Q&A on Attacks by the Comment Crew
Symantec Security Response | 02 May 2013 19:59:15 GMT | 0 comments

Today Mandiant released a detailed report dubbed "APT1" which focuses on a prolific cyber espionage campaign by the Comment Crew going back to at least 2006 and targeting a broad range of industries. The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec. We have detected this threat as Backdoor.Wualess since 2006 and have been actively tracking the group behind these attacks. The following Q&A briefly outlines some of the relevant Symantec information around this group:

Q: Do Symantec and Norton products protect against threats used by this group?

Yes. Symantec confirms protection for attacks associated with the Comment Crew through our antivirus and IPS signatures, as well as STAR malware...

Read more
New Adobe PDF Zero-day Unleashes Trojan.Swaylib
Symantec Security Response | 14 Feb 2013 22:16:55 GMT | 0 comments

In a previous blog, Symantec reported on a new Adobe zero-day vulnerability (CVE-2013-0640, CVE-2013-0641) affecting Adobe Reader and Acrobat XI (11.0.1) and earlier versions, that was being actively exploited in the wild. Adobe has yet to release a patch for this zero-day, but in an advisory they have provided a means of mitigation against the attack. 

The initial report on this zero-day being actively used in the wild came from FireEye. They reported that several files were being...

Read more