Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Emerging Threats
Showing posts in English
Symantec Security Response | 11 Nov 2009 19:11:44 GMT

The first iPhone worm, known as iPhoneOS.Ikee, recently hit the news everywhere. The purpose of this worm was to show that jailbroken iPhones had a flaw that could be easily exploited. The consequences of this worm were minor since the author decided to simply Rickroll users who became victims of this attack. However, there were many warnings that the publicly released code could easily be altered so that consequences were not so benign.

Given the implications—and this being a hot topic—reports are surfacing about a hacktool that can be used to attack jailbroken iPhones. This tool is taking advantage of the same default SSH password that iPhoneOS.Ikee does, but put plainly, this is not another worm. We...

Nicolas Falliere | 10 Nov 2009 12:31:22 GMT

Trojan.Clampi is an interesting threat, which we described in many blog entries over the past month. We’ve now compiled these entries, along with some new material, into a research paper—Inside the Jaws of Trojan.Clampi.

In a nutshell, Clampi is an Infostealer threat. Its executable can be seen as a host for separate modules, containing the real payloads of the threat. These modules are heavily protected from reverse-engineering as well. The functionalities range from banking-site password stealing, to local credential gathering, to a SOCKS proxy. The communication with Clampi’s command & control servers, the “Gates”, uses HTTP and is encrypted. Clampi...

Symantec Security Response | 09 Nov 2009 19:06:16 GMT

On the heels of a similar iPhone attack by a Dutch teenager, an Australian hacker (using the same technique) has written the first iPhone worm for jailbroken iPhones. The worm has been dubbed “Ikee” and uses the default SSH password of jailbroken iPhones to log in and spread. Please note that this worm does not impact iPhones that have not been jailbroken.

Many users who have jailbroken their iPhones in order to customize them have not changed their SSH password, allowing others to log in to their phone. In the case of Ikee, the worm scans random IP ranges and also specifically targets Optus, Vodafone, and Telstra's IP ranges, which are the common telephony providers in Australia. Once a vulnerable iPhone is found, the worm changes the wallpaper to a picture of Rick Astley (a prank known as Rickrolling), deletes the SSH daemon, and begins scanning the network for other vulnerable phones. Note that some of these telephony networks use NAT (network...

Peter Coogan | 04 Nov 2009 19:26:49 GMT

The Fragus exploit pack showed up on our radar a few months ago and has been steadily growing to become one of the most prevalent exploit packs being seen in the wild today by Symantec. It is similar to other popular exploit packs available—such as Unique, YES, Eleonore, and Liberty—but it brings some new and interesting features with it. Exploit packages are generally designed as a means to allow attackers to group and serve exploits from their website against the browsers of unsuspecting visitors. It is done in a nice GUI form, hosted on a Web server, and allows the attacker to generally choose which exploits to run. Once exploited, a final payload is served to the system. All of this is dished up in a control panel with some nice statistics on how successful the campaign has been.  


Ben Nahorney | 03 Nov 2009 20:40:05 GMT

Threats targeting the Macintosh platform are much less common than those targeting Windows. The same can be said about video games, where Windows is the dominate platform of the two. Combining games and malware has happened before, but a Mac game performing malicious activities? That’s something relatively new.

Takashi Katsuki, one of our Tokyo engineers, came across just that today. The game looks to be a throw-back to the classic Space Invaders/Galaga style of games from the early 1980s. However, what brings this game into the realm of malicious code is that for every alien ship you destroy, the game deletes a file from your home directory.

Andrea Lelli | 31 Oct 2009 13:13:44 GMT

Sure we have heard a lot about bots and botnets. One key component of a botnet is the command-and-control (C&C) server, which as we know can come in several flavours (IRC, Web pages, newsgroups, custom servers, etc.). Yet, here comes Trojan.Whitewell, which, being tired of old C&C channels, decides to pick up Facebook as a coordinator for the C&C server. I use the word “coordinator” because the Trojan only receives some configuration data from its Facebook account—the actual command execution and data reporting is done through a third party Web server.

The Trojan was sent through a popular malware distribution channel that is also related to other prevalent threats such as Trojan.Bredolab. The distribution technique is pretty simple: they send documents (PDF, or MS Office formats) containing exploits for known vulnerabilities. These documents usually...

Shunichi Imano | 30 Oct 2009 05:23:54 GMT

Symantec Security Response has become aware of a Trojan Horse we detect as Trojan.Ramvicrype. The Trojan uses the RC4 algorithm to encrypt files on compromised computers, rendering them unusable. Presence of files with a .vicrypt extension is a sure-fire sign of infection.

Trojan.Ramvicrype is a little different from most other Ransomware programs we’ve seen in the past. Typically these kinds of threats display a message prompting users to visit a certain Web page or email a specific address. Users will end up paying the online criminals in exchange for keys that can be used to unlock the computer or decrypt the encrypted files.

Previously posted blogs on the subject of Ransomware can be found at:

Eric Chien | 28 Oct 2009 21:17:13 GMT

A Blackberry application called PhoneSnoop was released recently, which resulted in an advisory from US-CERT. The application allows remote users to listen in on a Blackberry user’s surroundings.   

The application as seen when installed on a Blackberry

The application is actually quite straightforward and uses standard Blackberry APIs that allow the interception of incoming phone calls. When a call is received from a preconfigured phone number, the call is automatically answered and the speakerphone is engaged. Someone who has had this application installed may not notice the incoming phone call and not realize someone can now listen in on the immediate surroundings.

We’d consider this application just a proof of concept for a variety of reasons, including the author himself designing it as such:...

Nicolas Falliere | 20 Oct 2009 15:40:27 GMT

This chapter in our Clampi saga brings us back to the malware’s logging facility. As we saw before, one of Clampi’s modules, codenamed LOGGER, is responsible for logging outgoing information going to a determined list of URLs – stored in a data file as CRCs.

One problem arises with banking sites that preprocess the user’s personal information before sending it over HTTPS—it’s done using client-side JavaScript.  For instance, a hash of the input PIN number could be sent instead of the PIN number itself. This mechanism adds an extra layer of security, preventing malware from sniffing network traffic at one end of the SSL tunnel. But still, it’s only covering one end. It’s more secure than no encryption, but still not great. At least two methods exist to get around this:

  • Setting up a keylogger using either software (...
Nicolas Falliere | 16 Oct 2009 16:00:11 GMT

Let’s continue our Trojan.Clampi blog series by discussing three more modules downloaded and executed by Clampi. These modules share the common goal of gathering information, private or not, contained on the compromised computer. They don’t intercept network traffic like the Logger module does (described in my previous blog).

The PROT module
This module gathers private information from several sources, including Protected Storage (PStore), which contains user credentials stored by Internet Explorer or Outlook for instance. Interestingly, it also sets specific registry values in order to facilitate the creation of new entries in the PStore.
For instance, it sets the following registry entires:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet...