Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts tagged with Security Response remove filter
Showing posts by Takashi Katsuki remove filter
Android.Adrd と Android.Geinimi の比較
Takashi Katsuki | 18 Feb 2011 | 0 comments

最近発見された Android.Adrd について、本来は独自のものであるにもかかわらず、複数のセキュリティ企業がこの脅威を Android.Geinimi と同じ検出名で一括りにしている点は非常に興味深いと感じています。Android.Adrd は、Android デバイスを標的とする、検索エンジンの操作を目的とした初のトロイの木馬です。今日のブログでは、これら 2 つの脅威を比較します。

拡散
どちらの脅威も海賊版ソフトウェアを使用してユーザーのデバイスに感染します。脅威の作成者は、人気のあるアプリケーションを選んでトロイの木馬を仕込み、正常なコンテンツに乗せて悪意のあるコンテンツを配信します。

初期化
どちらの脅威も、起動時に実行されるように自身を登録します。また、Android.Adrd は、通話時またはネットワーク接続設定の変更時にも実行されるように自身を登録します。

機能
Android.Geinimi はデバイス上でバックドアを開きます。電話の発信、SMS メッセージの送信、機密情報の盗用など 20 種類以上の機能を備えています。一方、Android.Adrd の機能はこれに比べ非常に基本的なもののみです。Android.Adrd は、稼働すると、リモートサーバーから一連の文字列を受け取り、バックグラウンドで検索操作を繰り返し実行します(つまり、ユーザーには認識されません)。検索操作は、次の形式の HTTP 要求を介して行われます。
 

wap.baidu.com/s?word=[エンコードされた検索文字列] &vit=uni&from=[ID]

興味深いことに、これらの要求の直接的な目的は、Baidu の Traffic Union プログラムを使用して、「聚焦网(フォーカスオンライン)」として知られる中国のモバイル Web サイトのサイトランキングを上げることです。HTTP 要求により、トロイの木馬の作成者が指定した項目の検索件数が人為的に増え、その結果、特定の検索項目について...

Read more
Android.Adrd Versus Android.Geinimi
Takashi Katsuki | 18 Feb 2011 | 0 comments

With the recent discovery of Android.Adrd, I thought it was really interesting that a few security companies decided to bundle this threat with the same detection name as Android.Geinimi, even though Android.Adrd is unique in its own right. This is the first Trojan horse for Android whose purpose is search engine manipulation. In today’s blog, I will compare these two threats.

Propagation
Both of the threats use pirated software to infect user devices. The threat author has selected popular apps to “Trojanize” and deliver malicious content on top of clean content.

Initialization
Both threats register themselves to run at boot time. Android.Adrd also registers itself when a phone call is made or network connectivity settings are changed.

Functionality
Android.Geinimi opens a back door on a device. It has over twenty functions, such as making calls, sending SMS messages,...

Read more
PDF コンテナの脅威
Takashi Katsuki | 10 Aug 2010 | 0 comments

昨年、「The Fight Against Malicious PDFs Using the ASCII85Decode Filter(ASCII85Decode フィルタを利用する悪質な PDF との闘い)」というタイトルで、ASCII85Decode フィルタを利用して自身を隠蔽する脅威についてのブログエントリを執筆しました。それ以降 Adobe Reader には、最近のゼロデイ脆弱性をはじめとして、いくつかの脆弱性が見つかっていますが、攻撃者は直接的な悪用だけでなく、ソーシャルエンジニアリングも利用する傾向があります。その理由を私はこう考えています。ソフトウェアの脆弱性はパッチで比較的簡単に修正できますが、ソーシャルエンジニアリングの場合は私たち(潜在的な被害者)がその危険性を理解し認識する必要があり、それが容易ではないからだと。

つい最近では、PDF ファイルを「コンテナ」ファイルとして利用するソーシャルエンジニアリング手法も確認されています。PDF によるこの脅威は、添付ファイルとして 7-Zip ファイルを含み、その 7-Zip ファイルを開くようにユーザーを誘導するメッセージダイアログを表示します。ユーザーが使っている PDF リーダーのバージョンに応じて JavaScript でメッセージダイアログを切り替える機能もあります。Adobe Reader バージョン 6 でこの脅威を開くと、以下のような中国語のメッセージが表示されます。

ざっと翻訳すると、「...

Read more
PDF Container Threat
Takashi Katsuki | 09 Aug 2010 | 0 comments

Last year I wrote a blog entry entitled The Fight Against Malicious PDFs Using the ASCII85Decode Filter, which is about a threat that uses the ASCII85Decode filter to hide itself. Since that time, some Adobe Reader vulnerabilities have been found, including a recent zero-day vulnerability. However, attackers like to use not only direct exploitation, but also social engineering. I think this is because patches can fix software vulnerabilities fairly easily, but social engineering requires us (as potential victims) to understand and know what is dangerous, which is never easy.

More recently, I have discovered a social engineering threat that uses a PDF file as a “container” file. This PDF threat contains a 7-Zip file as an attachment...

Read more
The Fight Against Malicious PDFs Using the ASCII85Decode Filter
Takashi Katsuki | 08 Sep 2009 | 0 comments

Because PDF-related threats are on the increase in the wild, my colleagues and I have been focusing on the investigation into new ways to stop these threats. The majority of PDF-related exploits can be categorized into two areas.

The first method involves camouflaging the PDF file structure, and the second involves obfuscating the enclosed JavaScript. With the former type of threat, filters (such as an ASCIIHexDecode filter) are employed to change the file content to confuse antivirus engines and disable the use of signature detections. With the latter, it encrypts or obfuscates the exploit code injected into the PDF file, thereby making the exploit code impossible to differentiate from the clean JavaScript.

Between these two types of exploit, the vast majority of threats that are out in the wild are of the obfuscated JavaScript variety. That’s because it’s difficult to change the PDF file while adhering to the PDF file format, thus limiting the actions...

Read more
Trojan Writer Lusts for Money from Affiliate
Takashi Katsuki | 09 Nov 2007 | 0 comments

Since the start of this past September, mydaily tasks have included investigating Trojan.Farfli, which is updatedfrequently. On the dark side of things, the author of the Trojan hasdaily tasks that are closely related to mine: updating Trojan.Farfli.We have seen Trojan.Farfli updated three times a day on average andsometimes as much as seven times a day, and the total number ofvariants has reached more than 300 since July. In comparison, Trojansdiscovered around the same time have far fewer variants. For example,Trojan.Hachilem and Trojan.Srizbi have only 150 variants and 40variants, respectively. Precisely speaking, because there are filesdropped by this Trojan that are polymorphic there are hundred andhundred variants of this Trojan.

Why does the author update the threat so often? Well, we don’t knowexactly what the motive is, but the most likely reason is for monetarypurposes. An infected computer will access predefined Web sites withthe author’s...

Read more
Removal Instructions for Trojan.Kardphisher
Takashi Katsuki | 09 May 2007 | 0 comments

In the blog entry MS Needs Your Credit Card Details?, we detailed the behavior of the Kardphisher Trojan,which "attempts to steal credit card numbers by tricking the user intoentering their credit card details to activate Windows." This entryexplains how to remove the Trojan.

Removal instructions

1. Reboot the infected machine. You can do that by simply clickingthe "No" and "Next" buttons, or by doing a good-old fashioned hardreboot.

2. While Windows is starting, press the function 8 key (F8 key) to enter Safe Mode.

3. Click Start > Run.

4. Type regedit

5. Click OK.

6. Navigate to and delete these subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\...

Read more
MS Needs Your Credit Card Details?
Takashi Katsuki | 03 May 2007 | 0 comments

Recently we came across an interesting Trojan sample, detected by Symantec as Trojan.Kardphisher.The Trojan is not very technical - it's really just another classicsocial-engineering attack. What makes it interesting is that the authorhas obviously taken great pains to make it appear legitimate.

When you restart your PC after the Trojan is installed, this window appears:



You can only choose only Yes or No. You can't run Task Manager or anyother applications. If you choose No your PC will be shut downimmediately. If you choose Yes you'll see this image:

...
Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,916