Security Response

On October 9th a German hacker group going by the name of the Chaos Computer Club (CCC) published an analysis of what they claim to be government spying software. The analysis is a 20 page PDF file describing how the software works. In addition, CCC made available a copy of the software on their website in the form of a .dll file and a .sys file (driver file). The CCC has not offered any proof of their claims that these are government affiliated samples.

Symantec has performed an initial analysis on the samples and has confirmed much of the functionality as described in the CCC document. The samples are malware--which Symantec detects as Backdoor.R2D2--that opens a back door allowing a remote attacker to access the compromised computer.

The back door .dll file, mfc42ul.dll, monitors chat and VOIP applications and is able to intercept status changes in the software, such as an incoming or outgoing call. It...

(Note: This blog was written on September 2. We decided to postpone publishing it due to an ongoing joint effort to shut down servers and block domain names. The variant studied is not the latest but accurately reflects the functionalities of the threat.)

Trojan.Bamital appeared in the summer of 2010. The threat really became prevalent at the beginning of 2011, shortly after the discovery of the B variant. Bamital hooks into various browsers in order to modify search results and redirect the user to advertisement links. In this blog, we’re going to dissect a recent variant of Bamital to understand how the click-fraud scheme is implemented.

Installation

Bamital comes as a UPX-packed executable. When executed, it drops two components to the %CommonFiles% folder...

Ten years later, it is tempting to say that the September 11th terrorist attacks against the U.S. changed everything. It is indisputable that it changed many things, and without a doubt it changed how we think about security, how we deploy security, and what we spend on security.

But, we have not seen a significant impact on cyber security. The events of 9/11 drove a deep concern with physical security, but in 2001 no one saw a physical threat originate from a computer. That said, in the last ten years, we have seen a significant evolution in the Internet security threat landscape.
 

We recently came across a new threat that is distributed through various adult websites. The Trojan masquerades as a codec that is required to view a video, and when downloaded and executed, displays a fake installer:

The Trojan also creates and executes a dropper executable, which in turn creates a DLL file in the %System% folder. The dropper executable then deletes itself.

The main body of the dropped DLL is encrypted, and to make analysis more difficult, the decryption key itself is encrypted using a value that is unique to the compromised computer. This is not a new idea; we’ve seen this technique used before, for example in the infamous Backdoor.Rustock variants. In this case, the unique value is 16 bytes in length and is generated from the creation times of the System and System Volume...