Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Symantec Security Response | 21 Oct 2011 16:56:58 GMT

As mentioned in our previous blog, W32.Duqu was first brought to our attention by a research lab who had been investigating a targeted attack on another organization. This research was conducted by the Laboratory of Cryptography and System Security (CrySyS) in the Department of Telecommunications, Budapest University of Technology and Economics. CrySyS identified the infection and observed its similarity to W32.Stuxnet. They stated that no data was leaked as part of this attack.

We are grateful to CrySyS—sharing their findings allowed us to identify further attacks taking place. We have now determined that the originally targeted organization was one of a limited number of targets which include those in the industrial infrastructure industry. CrySyS has issued a statement regarding their analysis here:

The latest...

Symantec Security Response | 18 Oct 2011 16:59:09 GMT

On October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat "Duqu" [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided us with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet, which we were able to confirm. Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the...

Samir_Patil | 07 Oct 2011 19:02:10 GMT

Contributor: Anand Muralidharan

The sad news making the rounds these days is the death of Steve Jobs, Apple Co-founder and former CEO. His death has been a terrible loss to both Apple and Apple fans everywhere.

Spammers are capitalizing on this incident by sending malicious links related to the news of Steve Jobs’ death. Below is a screenshot of one such spam email containing a malicious link:

More malicious links found relating to death spam are:


All these websites contain obfuscated code leading to a BlackHole exploit. Most of the domains are recently registered, however a few of the older domains look quite legitimate and seem to be hijacked.

Below are the Subject lines which have been...

Stephen Doherty | 05 Oct 2011 22:18:01 GMT

Technical analysis: Poul Jensen, Illustrations: Ben Nahorney

Meet Downloader.Chepvil, a malware that has been creating quite a lot of noise recently, hitting inboxes far and wide. This threat begins life as an innocent-looking email and quickly transforms itself into a powerful blended threat capable of stealing information, installing misleading applications, and mailing additional copies of itself from newly compromised computers.

To begin with, let’s take a look at the initial email. It usually follows a predictable format – an enticing message encouraging the victim to open the email attachment.

The content of the email will change frequently; but as an example, a recent set of emails contained the following message:

Dear customer.

Joji Hamada | 13 Sep 2011 21:06:35 GMT

Thanks to Takayoshi Nakayama for his research and contributions to this blog.

Targeted attacks have been a pretty popular topic of discussion in the security industry in recent years. Many may recall the incident involving Hydraq—from January 2010—and Shady RAT was something discussed more recently.

Most targeted attacks involve emails with malware attachments as the trigger point of the attack. Once a computer is infected with the malware, an attacker can compromise not only the computer, but can also work to expose the infrastructure of the targeted organization and the sensitive data it possesses.

In the early stages of the targeted attacks involving emails that I started seeing around 2005, attachments included files such as Word documents, Excel spreadsheets, PowerPoint...

khaley | 08 Sep 2011 07:40:44 GMT

Ten years later, it is tempting to say that the September 11th terrorist attacks against the U.S. changed everything. It is indisputable that it changed many things, and without a doubt it changed how we think about security, how we deploy security, and what we spend on security.

But, we have not seen a significant impact on cyber security. The events of 9/11 drove a deep concern with physical security, but in 2001 no one saw a physical threat originate from a computer. That said, in the last ten years, we have seen a significant evolution in the Internet security threat landscape.

  Major Threats Fame
2001 Code Red
Gavin O Gorman | 26 Aug 2011 13:57:38 GMT

W32.Xpaj.B is one of the most complex and sophisticated file infectors Symantec has encountered. In an older blog post, Piotr Krysiuk calls it an “upper crust file infector.” He describes several different approaches that the infector uses to increase the difficulty in detecting infected samples. The techniques W32.Xpaj.B uses to conceal itself within an executable are far beyond the norm. Given this level of complexity, it was decided to analyze the threat in detail.

The analysis revealed IP addresses for the command & control (C&C) servers. Infected W32.Xpaj.B executables send a download request to these C&C servers. Analysis of the threat’s backend control infrastructure...

Rodrigo Calvo | 28 Jul 2011 14:46:08 GMT

The application's digital signature cannot be verified. Do you want to run the application?

By: Rodrigo Calvo, CISSP
      Sebastian Brenner, CISSP

Infostealer.Bancos is a detection name used by Symantec to identify particular malicious software programs that gather confidential financial information from compromised computers. It first appeared in the summer of 2003 and targeted mainly Brazilian banks. Initially, these Trojans targeted one particular financial institution per variant. However, this method was not always successful. Therefore, in order to increase the success rate, the malware authors began targeting multiple financial institutions per variant. As such, Infostealer.Bancos branched out to include other Latin American banks.

The Old Trick: Social Engineering

Recently, we have received alerts from customers in Latin America regarding email messages containing suspicious...

Vivian Ho | 25 Jul 2011 19:45:15 GMT

The five-time Grammy award winner Amy Winehouse was found dead in London on July 23rd. Symantec has already observed spammers who are trying to capitalize on related news headlines by sending out malicious threats less than a day after the news was released.

The two samples given below are examples that we have observed. These Portuguese-language attacks use similar spam techniques. All samples are sent from randomized individual email accounts with various subject lines related to the celebrity’s death in an attempt to lure interested readers to open a malicious URL. Immediately after the link is clicked, a pop-up window is shown, which asks users to download a file that is loosely disguised as an image or video file, for example (anything other than an executable).

The file is given a name that is related to the celebrity, and of course isn’t an image or video file, but a malicious binary. Symantec has detected the threats in these samples as...

Joji Hamada | 13 Jul 2011 15:35:59 GMT

W32.Gammima.AG, an infostealer best known for targeting massively multiplayer online role-playing games, is now also going after a game on Facebook. This is the first time we have encountered the malware going after an app on Facebook.

This particular malware doesn't just target any Facebook user. It’s only interested in collecting login credentials from those who use the Perfect Poker app, which is a game that allows you to play online poker with other Facebook users. The inclusion of Perfect Poker to the list of targeted games in W32.Gammima.AG appears to have taken place around December 2010.

As with other variants of W32.Gammima.AG, which attempt to gather login credentials and steal online coins from the accounts in order to profit, the variant targeting Perfect Poker seeks the same...