Video Screencast Help
Security Response
Showing posts tagged with Windows
Showing posts in English
Andrea Lelli | 08 May 2014 13:14:11 GMT

Symantec has spotted a recent surge of infections of Trojan.Viknok, which can gain elevated operating system privileges in order to add compromised computers to a botnet. Trojan.Viknok, first observed in April 2013, infects dll files with a malicious payload. Since its initial discovery, the malware has evolved into a sophisticated threat, capable of obtaining elevated operating system privileges in order to infect system files on multiple Windows operating systems, such as the 32 and 64-bit versions of Windows XP, Vista and 7. 

Attackers have been observed using Viknok-infected computers to carry out Adclick fraud. While click-fraud activity has been prevalent for years, it still seems to be an effective way for scammers to make money. The scammers behind the current Viknok campaign have gone to a lot of...

Symantec Security Response | 14 Jun 2013 00:25:57 GMT

The time between discovery of a vulnerability and the emergence of an exploit keeps getting shorter—sometimes a matter of only hours. This increases pressure on IT managers to rapidly patch production systems in conflict with configuration management and best practices for quality assurance. Many organizations struggle to keep up with the constant release of new patches and updates.

Last Tuesday, June 11, 2013, Microsoft released a security bulletin (MS13-051) which covers a number of vulnerabilities. One of the vulnerabilities has reportedly been exploited in targeted attacks. Attackers can leverage this vulnerability by sending a specially crafted attachment as part of a spear phishing campaign.

Microsoft Office PNG File CVE-2013-1331 Buffer Overflow Vulnerability (CVE-2013-1331)—a remote stack-...

Symantec Security Response | 01 Dec 2012 01:19:03 GMT

Whether a Montague or a Capulet, it never mattered to Juliet, as she made the case in Shakespeare's “Romeo and Juliet” when she says one of her most famous lines, “What’s in a name? That which we call a rose by any other name would smell as sweet.”

Earlier this week, we wrote about the increase in detections of a threat named W32.Changeup. Other vendors have written about it as well. However, each security vendor’s naming conventions are different. For Symantec, we named the threat W32.Changeup when we first discovered it.

Sampling of vendor detection names for W32.Changeup:

  • Microsoft: Worm:Win32/Vobfus.MD
  • McAfee: W32/Autorun.worm.aaeh
  • Trend Micro: WORM_VOBFUS
  • Sophos: W32/VBNA-X
  • Kaspersky: Worm....
Symantec Security Response | 04 Jun 2012 18:16:23 GMT

Flamer has a variety of ways of spreading on the local network. One of the methods is to hijack clients performing Windows Update. Three Flamer apps are involved in delivering the rogue update: SNACK, MUNCH, and GADGET.

When Internet Explorer starts, by default it will automatically search for proxy configuration settings. This happens through the Web Proxy Auto-Discovery Protocol (WPAD). Internet Explorer will attempt to retrieve proxy settings (wpad.dat) based on the computer's domain name. For example, if the computer is, Internet Explorer will request wpad.dat from:


Typically, resolution of these domain names will go to the DNS server. However, if the DNS server does not have records registered, Internet Explorer will also use WINS or NetBIOS for name resolution.


Mircea Ciubotariu | 14 Mar 2012 23:00:29 GMT

What was just a theory not so long ago is now being used in-the-wild by threats such as Backdoor.Hackersdoor and its newer variant Backdoor.Conpee.

Back in December we analyzed tdpipe.sys, an infected 64-bit Windows 7 system driver. The infection consisted of an extra import added to the driver’s import table:

The import named DiscPart from pipe.sys ensures that the malicious file pipe.sys is loaded at the same time as the system driver tdpipe.sys, although it simply returns without doing anything.

This is a common method employed by malware authors to ensure the malware they create runs when the compromised computer starts. The advantages to this...

Mircea Ciubotariu | 06 May 2011 07:21:10 GMT

On April 12, 2011, KB2506014 was released to address a vulnerability affecting Windows Vista and later operating systems running on the AMD64 platform. Malware was exploiting the vulnerability to load unsigned drivers and stay resident in kernel mode.

Backdoor.Tidserv (a.k.a. TDL4) is one such threat that is patching operating systems’ loader files on-the-fly in order to ensure that its advanced rootkit capabilities work. As may be expected, Tidserv attempted to work around the KB2506014 patch, as noted in the following code snippets taken from the ldr16 entry of the threat’s encrypted file system:

Here, the hooked int13 (the 16-bit disk operations interrupt) attempts to identify the moment when...

Piotr Krysiuk | 27 Aug 2010 20:58:11 GMT

In this blog we continue our analysis of the recently discovered Tidserv variant that is capable of infecting 64-bit Windows operating systems. While we gave a quick overview of the threat yesterday, today we’re going to talk more about how Tidserv installs itself on 32- and 64-bit operating systems.

While Backdoor.Tidserv.L arrives as a 32-bit Windows executable, it checks if it's running under a 32- or 64-bit version of Windows and chooses an architecture-specific method of installing itself. If it finds that it’s running on a 32-bit system, it uses the same method as older Tidserv variants to gain necessary privileges—by executing itself in the Print Spooler service. Next, it drops a 32-bit version of the malicious kernel driver and loads it into the Windows kernel. Once the driver is loaded, it infects the Master Boot Record (MBR) with a malicious version.

It then...

Symantec Security Response | 26 Aug 2010 17:29:18 GMT

Backdoor.Tidserv first came to light in back in 2008 as a Trojan that uses an advanced rootkit to hide itself. Since then, Symantec has seen many changes to Tidserv and we have documented a number of the changes in our blog postings. Yesterday, Symantec came across a new sample of Tidserv that we have broken out detection for as Backdoor.Tidserv.L and Boot.Tidserv.

This new variant of Tidserv is of interest for two main reasons. First, we are now seeing Tidserv inject user-mode code into Windows 64-bit driver processes found in the likes of 64-bit Windows versions. Previously, Tidserv targeted only 32-bit operating systems. Although this is not the first virus to inject code into 64-bit processes, it is still a relatively new venture for virus writers. It also demonstrates how the creators of Tidserv are...

Robert Keith | 13 Jul 2010 18:06:47 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing four bulletins covering a total of five vulnerabilities.

Four of the issues are rated “Critical” and affect Help and Support Center, Access, and the Canonical Display Driver. The Help and Support Center issue was originally made public on June 10 of this year, and has seen in-the-wild exploit attacks. The remaining issue, rated “Important,” affects Outlook and can be exploited to bypass Outlook’s detection of unsafe file types when dealing with attachments. All of the issues are client-side, and require an attacker to trick a victim into performing some action in order to exploit.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid...

Security Intel Analysis Team | 14 Jun 2010 22:37:57 GMT

While investigating the malware and shellcode that were associated with the recent Adobe Flash Player, Adobe Reader, and Acrobat 'authplay.dll' Remote Code Execution Vulnerability (BID 40586), we came across some interesting similarities to the malware and shellcode that were used in the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability (BID 38615) targeted attacks from March 2010.

The first similarity is in the shellcode

The image below is the function-hooking shellcode that was used in the targeted attacks against the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability in March 2010:

Below is the function-hooking shellcode that was used in the targeted attacks...