Security Response

Technical analysis: Poul Jensen, Illustrations: Ben Nahorney

It is a given that many malicious software threats seen today will download additional software components to perform various activities. With the transition from malware for fun to profit-driven malware and the connected nature of the computer-using population, it is not unusual to see malware threats download other files onto the compromised computers. While there is much public discussion lately about advanced persistent threats (APT) that also make use of software-downloading techniques to augment their capabilities, there are also other malware threats doing the rounds that are not so concerned about industrial espionage and issues of national security. Perhaps it is because the likes of Trojan.Badlib do not necessarily target these types of high-value information that they may be considered of lesser...

A Master Boot Record (MBR) is an area of the hard disk (usually the first sector) used by a computer to perform start up operations. It is one of the first things to be read and executed by the computer hardware when a computer is powered on, even before the operating system itself. As far as trying to get access to the hardware first, you can’t really beat the MBR for that, with the exception of hardware ROM (BIOS) itself.

MBR infections offer great scope for deep infection and control of computers, which makes the idea attractive to malware creators. Contemporary MBR infection methods are a fairly complex affair and are not an undertaking that can be performed by many malware creators except for more highly skilled individuals. This is probably one reason why after the creators of Trojan.Mebroot rediscovered the...

McAfee published an interesting report yesterday about what they called Operation Shady RAT, focusing on a series of what some may call “advanced persistent threat” attacks. The attacks were dubbed in some quarters as “one of the largest series of cyber attacks ever.” While quite a bit of data was presented regarding the potential scale of these attacks, details on the threats and how the attacks were staged were somewhat limited.

Based on the information we managed to glean from the report and our own intelligence sources, we have identified the initial attack vectors, the threats used and how the attack was staged. In addition to all this, we have also uncovered what appears to be the same information source about the victims of the attacks that was used by McAfee as the basis of their report. This information is freely available on the attackers’...