Video Screencast Help
Security Response
Showing posts tagged with Emerging Threats
Showing posts in English
khaley | 18 Feb 2010 20:57:54 GMT

Recently, Symantec observed some high-profile coverage of a threat being reported as a new type of computer virus known as “Kneber.” In reality Kneber is simply a pseudonym for the Zeus Trojan/botnet. The name Kneber refers to a particular group, or herd, of zombie computers (a.k.a. bots) being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot that also goes by the name Zeus, which has been observed, analyzed, and protected against for some time now.
Since Zeus/Zbot toolkits are widely available on the underground economy, it is not uncommon for attackers to create new strains, such as Kneber, of the overall Zeus botnet. Though it is true that this Kneber strain of the overall Zeus botnet is fairly large, it does not involve any new malicious threats. Thus, Symantec customers with up-to-date security software should already be...

Hon Lau | 17 Feb 2010 20:28:00 GMT

Since as far back as I can remember there has always been talk of rivalry and wars between various malware creators. The testosterone-fuelled battles may have even been encouraged by the media running stories of how such-and-such botnet “has X million nodes,” egging the botnet herders to try and outwit and outgrow each other in a competition to grab market share.
Take, for example, the Zeus botnet (Trojan.Zbot). This has been around for some time and has now developed into a mature piece of malware that is widely sold and used by wannabe eCriminals to steal information from hapless victims throughout the Internet. The ease of use afforded by the Zeus Trojan builder has helped it achieve its notorious status as one of the most widely seen bots in the world.
As with the gold rush in the previous centuries, some people learned that it was...

Joshua Talbot | 10 Feb 2010 20:50:05 GMT

I recall watching a Sandra Bullock film called “The Net” in the mid-nineties. It was about a software engineer, played by Bullock, who inadvertently became entangled in a web of cyber espionage and eventually had to fight for her identity (and even her life) in a flood of harrowing situations. One of the key plots in the film was that Bullock’s character was a recluse, rarely leaving her house and having virtually no life outside of cyberspace. This plot angle was a direct result of the budding age of the Internet and spurred popular discussions about how this newfangled “world wide web” was going to turn us all into hermits, cut off and desensitized to the real world around us.
I don’t know about you, but I still enjoy a nice walk in the park and dinner out with friends. However, it would seem that at least one group among us has grown quite desensitized to the finer points of the real world; these days, it seems nothing is...

Peter Coogan | 04 Feb 2010 18:36:42 GMT

The Zeus crimeware toolkit has been around now for a while and has grown over time to be the most established crimeware toolkit in the underground economy. In late December 2009 a new crimeware toolkit emanating from Russia—known as SpyEye V1.0—started to appear for sale on Russian underground forums. Retailing at $500, it is looking to take a chunk of the Zeus crimeware toolkit market. Symantec detects this threat as Trojan.Spyeye. Since it is relatively new, we are not seeing a lot of SpyEye activity yet. However, given some time and the observed rate of development for this crimeware toolkit, SpyEye could be a future contender for king of the crimeware toolkits.

SpyEyeLogo.JPG   ...

Liam O Murchu | 02 Feb 2010 14:05:30 GMT

While analyzing W32.Zimuse recently I was surprised to find two different passwords used within the threat: one of these decrypts a Word document that contains information about some members of a Slovakian motorbike forum.

In order to spread via USB drives, W32.Zimuse copies the file zipsetup.exe to removable drives. If zipsetup.exe is run with no parameters it shows the following message box:

The zipsetup.exe dialog box

This is not a real WinZip dialog box, just a password box made to look like the WinZip message box. The user has 10 chances to enter the correct password, after which the application will close. Entering "2008_15_12" (without quotes) decrypts a Word document named zoznam.doc:


Patrick Fitzgerald | 29 Jan 2010 16:05:48 GMT

If you have been following this series on Trojan.Hydraq over the last week you may have noticed that the blog entries have been well, boring. Because of its profile in the media and varying assessments of the threat posed by and the complexity of Trojan.Hydraq we decided to present the facts of the threat.

Threats make their way into mainstream media for various reasons. Sometimes it’s the effectiveness of a threat or the elegance associated with a particular approach taken by a piece of malware. Some use near impenetrable packers to make analysis extremely difficult and some have novel approaches to make the malware more robust and harder to take down.

2010 saw Trojan.Hydraq hit the media. This incident was dubbed “Operation Aurora”. In case there is still any confusion at this stage, the malware used in the Aurora attack is Trojan.Hydraq.


Parveen Vashishtha | 28 Jan 2010 22:31:48 GMT

The use of search engines to deliver malware is well known. Previously we reported that attackers were using Google-sponsored search results to promote malicious websites. Instead of using techniques such as search engine optimization (SEO) poisoning to get the optimum listing in the search engine results, attackers recently managed to compromise well known site, which is promoted by Google’s sponsored links. Interestingly, up until late last week, was hosting malicious exploits and was blacklisted by Google SafeBrowse. However, at the time of posting this blog the malicious code has been removed from and Google is no longer blocking it.

In this specific example, users who rely on Google’s sponsored links run the risk of their...

Patrick Fitzgerald | 28 Jan 2010 21:25:51 GMT

At this stage we’ve looked at several features of Hydraq, including its obfuscation techniques and how it remains on an infected system. So, what control does the attacker have over a compromised system?

Backdoor Functionality

The ThreatExpert blog on Hydraq provides a comprehensive list of the features of this backdoor. The full article can be found here. The following list summarizes what this backdoor is capable of:

•    Adjust token privileges.
•    Check status of, control, and end processes and services.
•    Download a remote file, save it as %Temp%\mdm.exe, and then execute it.
•    Create, modify, and delete registry subkeys.
•    Retrieve a list of logical drives.
•    Read, write, execute, copy, change...

Joji Hamada | 28 Jan 2010 11:19:45 GMT

Yesterday we saw SEO poisoning attacks when searching for keywords such as "Apple Tablet". Now, after the product announcement has been made, we are seeing the same attack with the actual name of the product included in the search term.

Using search terms like "Apple Ipad rumor" or "Apple Ipad size" are likely to produce results from sites like,, or, ultimately compromising your computer with rogue security software.



No worries for Symantec product users.  Our HTTP FakeAV Redirect Request IPS signature will detect the attack.  Our...

Patrick Fitzgerald | 26 Jan 2010 16:40:57 GMT

Yesterday’s blog spoke about the obfuscation techniques employed by Trojan.Hydraq.  As it turns out these techniques are not new, had been used by various malware in the past, and are not too tricky to get around.  This entry examines the techniques employed by this threat in order to stay active on a compromised computer and survive a restart.

Hydraq takes advantage of the Svchost.exe process in Windows.  When a Windows system starts up it checks the following registry key:


These entries are referred to as service groups.  The information under this key will have all the information required by the operating system in order to load the service group into memory.  The following screenshot shows the services loaded into a particular instance of svchost on a clean computer: