Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Emerging Threats
Showing posts in English
Gilou Tenebro | 14 Oct 2009 11:25:26 GMT

Trojan.Bredolab is a threat that has been distributed widely and consistently this year. This research paper takes a closer look at the Trojan to discover how it works, why it’s so widespread, and the motivations behind it.

In short, Bredolab is distributed by spam emails and drive-by-download attacks. (In fact, last month we blogged about a wave of spam emails used to distribute it.) Once it’s on a computer, Bredolab downloads and installs a variety of other threats. This process is outlined in the following diagram.

We have seen Bredolab downloading password stealers, bots, rootkits, backdoors, and misleading applications.  Some...

Symantec Security Response | 13 Oct 2009 14:35:50 GMT

Malware authors often leave hidden messages in files for analysts to find or for other malware authors to see. However, finding a curse on my whole family in a flash exploit file came as somewhat of a surprise!

The file in question was being distributed on the Internet circa June of this year and was being hosted on some Chinese domains. After decompressing the file and extracting the ActionScript I saw some Chinese characters used within the script. I don’t speak Chinese myself, so I had one of our engineers who does translate the message:

This roughly translates to:

“Dadong declares that: This file is used only for internal technical research, if you decrypt it your whole family will die, if you use it as a part of a Trojan your whole family will die also! If you use this file illegally you take responsibility for all results.”...

Nicolas Falliere | 12 Oct 2009 17:01:37 GMT

As mentioned in our previous blog entry, most of the Trojan.Clampi features reside in separate modules that are sent by a remote server in response to clients’ queries. In this part of this blog series, we’ll have a look at one of the modules used by the malware to steal login credentials mostly from banking Web sites.
This module is codenamed LOGGER by the threat. After decryption, the beginning of the module’s raw data looks like this (compressed):


To avoid downloading the module each time Clampi runs, it is stored in the registry (in an encrypted form) in a value named “Mxx”, where “xx” is a zero-based number...

Peter Coogan | 07 Oct 2009 21:00:54 GMT

We thought it might be interesting to provide some additional information on the Butterfly bot kit, following our blog published last week entitled The Mariposa Butterfly. We posted that blog in response to a report that half of the Fortune 100 companies have been compromised by a botnet dubbed Mariposa (Spanish for "butterfly"). The Butterfly bot kit's creator, known as Iserdo, markets the following features of the bot kit in the user manual supplied with the kit (the below snippet is taken directly from the user manual):

a) Features of bot base

1. Polymorphic code and strings
    code related to bot functionality is encoded
    everytime with different key, same goes for
2. Installation into hidden location
    installs into location where it is impossible
    to access with...
Nicolas Falliere | 06 Oct 2009 15:45:37 GMT

Trojan.Clampi is one of the hottest malware around, and as such, received a fair amount of media coverage, as well as technical reports describing some of its functionalities. As part of our ongoing blog series, we will be discussing interesting and rarely presented aspects of Clampi. Today, we’ll introduce an important aspect of Clampi: the network communication.

First of all, if you’re not familiar with this malware already, Clampi is a Trojan horse whose main purpose is to steal private information: user passwords, login credentials, software licenses, credit card numbers, bank account information, etc. Note that Clampi’s operations are performed by helper modules, downloaded by the main executable, and stored in the Windows registry.

Once the threat is installed on a computer, it connects to one of the gateway servers listed in the registry value “GatesList...

John McDonald | 01 Oct 2009 14:12:07 GMT

There has been a flurry of news articles over the past few days on what the media appears to have labeled the Mariposa botnet, after the name a Canadian information security firm used for this particular threat. The ‘butterfly’ in the title of this article refers to the fact that the threat is believed to stem from the Butterfly bot kit, which is no longer for sale.

Several security vendors have commented that this threat isn't new, and indeed Symantec has been detecting variants of it since as early as January this year. We currently have various detection names for these samples, the majority of which are one variant or another of W32.SillyFDC, Trojan Horse or more recently Packed....

Piotr Krysiuk | 30 Sep 2009 20:42:22 GMT

It is not very common for a file infector to do more than simply introduce trivial modifications to the files it infects. Virus authors usually avoid complex modifications to the files because of the possibility of corruption. W32.Xpaj.B is one of exceptions.

W32.Xpaj.B is an entry-point obscuring, polymorphic file infector. The virus is not completely new and shares some of its characteristics with its predecessor, W32.Xpaj, first seen in June 2008. What sets this creature apart is the amount of effort its authors have invested into hiding their malicious code in the files it infects.

W32.XPaj.B is more sophisticated than your average file infector. To make finding its malicious code difficult, the virus avoids putting any obvious signs in the infected files. Unlike most simple viruses, it doesn’t attempt to execute the virus code by hijacking control when the infected file is started. Instead, the virus overwrites some subroutines from the infected files with...

Patrick Fitzgerald | 25 Sep 2009 16:45:01 GMT

It’s well known that malware is growing more sophisticated, but few threats have had us scratching our heads like Trojan.Clampi. In order to remove the mystery around this threat, Security Response will be publishing a series of blogs talking about various aspects of Clampi. As an introduction, we’d like to present a brief overview of the threat.

Trojan.Clampi has been around for a number of years now. During this time it has gone through many iterations, changing its code with a view to avoid detection and also to make it difficult for researchers to analyze.

From our analysis it seems that Clampi has mainly affected machines in the US. Clampi infection rates seem to be skewed towards countries where English is the primary language.  This may indicate the first infections were as a result of malicious drive-by attacks on...

Gerry Egan | 22 Sep 2009 19:04:27 GMT

Have you ever noticed how movies tend to come in waves? A few years ago it seemed like every action movie had a space theme; then the following year the big new movies featured some kind of natural disaster. This past summer it seemed like every other movie was in 3-D. Technology, as we all know, has waves too, and the security industry is no different. For example, recently there has been a lot of talk about reputation-based security and suddenly it seems like every vendor is claiming to have some type of reputation technology. But, not all technologies are created equal, so I thought I’d take a few minutes to look at what makes Symantec’s reputation-based technology so very different.

Why is a new approach needed?

Two fairly recent trends have had a negative impact on the effectiveness of traditional approaches to security. First, many of today’s threats are highly polymorphic—they are able to easily hide because nearly every instance of...

Gavin O Gorman | 11 Sep 2009 15:02:50 GMT

Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. Recent developments have included the utilization of Web 2.0 social networking websites to deliver commands. By integrating C&C messages into valid communications, it becomes increasingly difficult to identify and shut down such sources. It's a concept very similar to that of chaffing and winnowing. Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec...