Video Screencast Help
Security Response
Showing posts tagged with Emerging Threats
Showing posts in English
Patrick Fitzgerald | 25 Jan 2010 17:17:17 GMT

While Trojan.Hydraq has been described as sophisticated, the methods used to obfuscate the code are relatively straight forward to deobfuscate.  Trojan.Hydraq has spaghetti code, which is a technique used to make analyzing the code of program more difficult.  The basic blocks of a function are identified, and then completely rearranged so one cannot easily follow the code in a linear fashion.  The rearranged code blocks are connected by jump instructions that connect them in the proper order during execution.

However, spaghetti code has been used in the past and, due to the simple method of implementation by Hydraq, is easily reversed.  We posted one of the first blogs about spaghetti code in malware back in 2006 in regards to LinkOptimizer.  Most security companies have tools to simply reverse this type of obfuscation in an automated fashion and even off...

Andrea Lelli | 22 Jan 2010 04:12:37 GMT

You probably have heard the recent news about a widespread attack that was carried out using a 0-Day exploit for Internet Explorer as one of the vectors. This exploit is also known as the "Aurora Exploit". The code has recently gone public and it was also added to the Metasploit framework.

This exploit was used to deliver a malicious payload, known by the name of Trojan.Hydraq, the main purpose of which was to steal information from the compromised computer and report it back to the attackers.

The exploit code makes use of known techniques to exploit a vulnerability that exists in the way Internet Explorer handles a deleted object. The final purpose of the exploit itself is to access an object that was...

Peter Coogan | 21 Jan 2010 17:51:15 GMT

In our last Trojan.Hydraq (Aurora) blog, The Trojan.Hydraq Incident, we mentioned that one of the components of this Trojan is based on VNC code and has the ability to allow an attacker to control and stream a live video feed of a compromised computer’s desktop to a remote computer in real-time. In this blog we will look at these components in more detail and demonstrate them being used.

Once Trojan.Hydraq is installed by means of an exploit, it downloads additional files from a remote location to aid with the attack. Two of the additional files downloaded are named VedioDriver.dll and Acelpvc.dll. These files are placed into the %System% folder on the exploited computer. Analysis of the files and communication protocol suggests that...

Symantec Security Response | 20 Jan 2010 16:12:20 GMT

Symantec Security Response has repeatedly warned that looking for free movies and videos online often results in malware infection, and here we go again with yet another example. We recently became aware of a campaign, centered around the YouTube Web site, to trick users into following malicious links.

YouTube is one of the most popular video sharing sites and therefore is often picked by online criminals hoping for an easy catch. Performing a search using a (generally female) celebrity’s name followed by "sex tape" or a recent movie name yields results such as the following:

searchres.jpg

...

khaley | 20 Jan 2010 11:57:32 GMT

AntiVirus Live, Personal Security, Malware Defense, and Desktop Defender

These are all names for different rogue security software programs. We identified 250 different “brands” of these bogus products in the Rogue Security Software Report published in October 2009. But these four—and many others—are not among those 250. They are all new since October. You can see some examples of some of the new graphic styles of these fake AVs here.

In fact, there are so many of these misleading applications that we don’t even try to write a unique definition for each one of them. We use generic signatures such as Trojan Horse,...

Mayur Kulkarni | 19 Jan 2010 22:16:02 GMT
Last week, Symantec warned netizens of Haiti earthquake-related email scams. These alerts have not deterred spammers from continuing their operations in the form of 419 and phishing scams. We have monitored a variety of scam emails that are falsely claiming to have come from humanitarian and relief fund organizations, asking users for donations. 
 
When we look at the list of subject lines found in scam emails below, we observe that some of them are imitating the subject lines of legitimate emails requesting for donations:
 
Financial contributions to the British Red Cross
Please Reply.
Haiti Earthquake: HELP HAITI
Urgent response:Help haiti
RED CROSS EARTHQUAKE APPEAL- DONATE NOW!
...
Symantec Security Response | 19 Jan 2010 02:47:15 GMT

It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. In between then and now there has been a lot of rumour and debate about all aspects of this attack with many truths and mistruths being carried in public.

As the fallout from this event begins to settle a little, it helps to step back a bit and try to figure out exactly what happened and when. We will try and tell you the facts about this Trojan as we see it.

Large companies are common targets for hackers and attackers of various kinds and it is not uncommon for these companies to be actively monitoring traffic to and from their critical IT infrastructure. So it comes as no surprise that Google announced in its blog on the 12th January 2010 that it was the target of what it termed as a “highly sophisticated” attack on its business assets. In addition the blog also mentioned...

Symantec Security Response | 15 Jan 2010 09:07:23 GMT

Over the past couple of days, media outlets have been abuzz with news of a cyber attack on Google. A number of people have theorized political intent and the implications of these attacks.

First, a little background. The critical infrastructures of large corporations are attacked on a daily basis. Some companies are targeted more than others, but all of them are targeted by either hackers who like to put a large feather in their cap, or by hackers trying to steal information for monetary gain. As in all cases with large companies the attacks are investigated thoroughly to make certain that networks and data are not compromised. 

As with all targeted attacks, this particular attack was tailored to target a small number of corporate users. The attack vector in this instance could be one of many. A hacker only requires an unpatched computer to visit a website of the hacker's choice, or open a document crafted by the hacker. This can be done by sending a malicious...

Symantec Security Response | 08 Jan 2010 16:46:58 GMT

Last December we saw a couple of malicious JavaScript strings being pasted into Web sites on compromised servers. The beginning of the scripts look like one of the following:

  • <script>/*GNU GPL*/ try{window.onload = function(){var ~
  • <script>/*CODE1*/ try{window.onload = function(){var ~

We’ve now confirmed a new version. One of the sites we saw was originally compromised with the "/*GNU GPL*/" script and was recently updated with the "/*LGPL*/" script. A top portion of the obfuscated script looks something like this:

<script>/*LGPL*/ try{ window.onload = function(){var C1nse3sk8o41s = document.createElement('s&c^$#r))i($p@&t^&'.repl

Once deobfuscated, it leads to a URL that looks something like this:

[http://]free-fr.rapidshare.com.hotlinkimage-com.thechocolateweb.ru:8080/51job.com/[REMOVED]/redtube.com/gittigidiyor.com/google.com/

The...

Patrick Fitzgerald | 29 Dec 2009 12:26:36 GMT

Over the last few days there have been many articles written about an issue in Microsoft’s Internet Information Services (IIS).  This issue allows an attacker to bypass normal security restrictions when uploading a file to a Web application running on a vulnerable version of IIS.  This issue could allow an attacker to upload and execute arbitrary code with the privileges of the Web server.

There are varying reports on the severity of this issue, but according to Microsoft only poorly configured Web servers are at risk from this issue:

“An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server...