Video Screencast Help
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Joji Hamada | 17 Jan 2010 08:39:28 GMT

News of an exploit being used to target a zero-day vulnerability in Internet Explorer (BID 37815) was announced on Thursday, January 14th. According to Microsoft, the vulnerability affects Internet Explorer 6, 7, and 8, which together make up the bulk of the versions used today. Reports, however, have confirmed that only Internet Explorer 6 has been targeted so far and the exploit has only been seen in targeted attacks. Since the exploit code has been made public and is available for anyone to download (and use to make attacks), it is highly likely we will see it being used in more Web-based attacks.

In this security issue Internet Explorer is prone to a remote code-execution vulnerability. This means that attackers can use exploit code to execute malicious code on a victim's computer and then compromise the computer. If you are using Internet Explorer 6, 7, or 8 you may be affected until such time as you...

Symantec Security Response | 08 Jan 2010 16:46:58 GMT

Last December we saw a couple of malicious JavaScript strings being pasted into Web sites on compromised servers. The beginning of the scripts look like one of the following:

  • <script>/*GNU GPL*/ try{window.onload = function(){var ~
  • <script>/*CODE1*/ try{window.onload = function(){var ~

We’ve now confirmed a new version. One of the sites we saw was originally compromised with the "/*GNU GPL*/" script and was recently updated with the "/*LGPL*/" script. A top portion of the obfuscated script looks something like this:

<script>/*LGPL*/ try{ window.onload = function(){var C1nse3sk8o41s = document.createElement('s&c^$#r))i($p@&t^&'.repl

Once deobfuscated, it leads to a URL that looks something like this:



khaley | 06 Jan 2010 17:48:24 GMT

When I worked at a small business the IT guy also took care of the phone system, assembled bookcases if needed, and occasionally worked the front desk when the receptionist was on break. In a small business everyone wears many hats and you often don’t really have the skills necessary to do everything asked of you all that well. Or if you do, you probably don’t have the time.

But certainly small and medium businesses understand the importance of computer security and make sure they take all the steps necessary to protect their business from the potentially devastating losses of cybercrime! Well, that’s half right. According to a survey done last year by Symantec, SMBs know security is important but they are not taking proper steps to protect themselves. In fact, a stunning 33 percent of SMBs don’t even run basic antivirus software.

The SMBs surveyed said they don’t have the staffing, budget, or bandwidth to properly protect themselves. And...

Hon Lau | 18 Dec 2009 17:01:03 GMT

Those looking to see the latest 3D blockbuster movie, The Avatar, on the cheap will have to take great care in what they search for. We have become aware of at least one site that has been rigged to redirect users to a page that presents the now-familiar "play video/need codec" screen. In an unusual twist, this time it is offering a new ActiveX update rather than the usual codec or Flash player updates.



Clicking on the play button or icon will send a request to, which will then eventually offer you a file named along the lines of Activex_Setup[1].45158.exe from the domain. This is now detected as Trojan.FakeAV.

In addition to this malware page there are literally hundreds of other scam sites and pages trying to cash in on the...

Mircea Ciubotariu | 17 Dec 2009 11:32:37 GMT

We have recently learned of yet another zero-day exploit in Adobe Acrobat. This time it's an overflow for a special type parameter in a function provided by the multimedia.api plugin that can be manipulated from JavaScript in the following manner:


Somewhere deep in newPlayer, deinit_obj is set as the handler for deleting the object when it's no longer needed:


And eventually deinit_obj calls the destroy function from the object's v_table:


So far, so good, except the...

Andrea Lelli | 09 Dec 2009 17:24:13 GMT

A peak of new infections of Trojan.Mebroot has been found in the wild and after some investigation the data shows that there is a new wave of Mebroot Trojans being distributed through a popular exploit pack. The binary executables are using a newer packer to avoid detection from antivirus products.

Mebroot has been around for some time; apart from updating their packer, the most interesting thing about this infection is how Mebroot gets itself onto your machine in the first place. I had a glance at the network capture and the intrusion seems to be coming from Java:




Images 1 and 2: The network activity shows a series of http GET requests that end up downloading an executable onto the machine.

This data stream shows some requests being made to the malicious server....

Candid Wueest | 03 Dec 2009 21:58:29 GMT
The Mozilla Firefox browser is constantly gaining in popularity. A recent market share survey by Net Applications awards Firefox with 24% of users worldwide. One of the key philosophies of Firefox is that its functionality can easily be extended using plug-ins or extensions. According to the Mozilla foundation there are more than 12,000 extensions available and they have recorded more than 1 billion extension downloads so far. Quite an irresistible target for a malware author, don’t you think?
This is by no means a new phenomenon, nor a Firefox-centric one. Browser helper objects (BHOs) in Microsoft’s Internet Explorer have been misused by attackers for years, and we saw malicious Firefox extensions appear more than three years ago. But, we have recently observed an increase in malware that drops malicious BHOs, Firefox extensions, and even Opera user scripts—all this in order to maximize their impact on a user’s machine....
Hon Lau | 01 Dec 2009 18:53:34 GMT

Piggybacking (pun intended) on the swine flu pandemic is the Zeus bot crew, whose latest offering comes in the guise of an email purporting to come from the CDC (Center for Disease Control). The email contains a link to a bogus Web page that is made to look like an official CDC page.
The content of the page asks you to create a profile that will then enable you to get the H1N1 flu vaccine.
The subject lines used in the emails are quite variable; for example, the following have been seen:

•        Instructions on creation of your personal Vaccination Profile

•        Governmental registration program on the H1N1 vaccination

Hon Lau | 30 Nov 2009 23:10:54 GMT

The Koobface gang has been keeping themselves busy of late. Like Santa's little elves, they’re beavering away, creating and checking their fake Facebook and YouTube video sites and packin' it (the worm, that is) twice. The latest campaign involves posting messages on Facebook profiles, which link to either to fake video pages or a fake Facebook page. Either way you will be offered a file named setup.exe, which may be presented as a Flash Player upgrade or some kind of free antivirus to protect you from Koobface.

The lure is put forth in compromised or bogus Facebook postings. The text is largely the same, though the messages appear with duplicate letters in various parts of the posts. For example:

•    I caan't ffall asleepp affter viewwing thiss videeo. I haven'tt seenn aanything liike this
•    I can''t falll aslleep aftter viiewing thhis vvideo. I havven't seeen aanything likee...

Hon Lau | 28 Nov 2009 12:15:34 GMT

The car accident involving Tiger Woods last night outside his home in Windemere, Florida has been generating a lot of heat as far as Web traffic and searches go. Since the news broke, the top web searches on Google has been related to the this story. Even hours after the break of the story, six out of the top ten search items are still related to this event.  Tiger Woods is obviously a huge celebrity from a sport that has a huge worldwide following. The circumstances surrounding this accident are still as yet unclear.   

Search rankings for results relating to Tiger Woods

From an IT security point of view this unfortunate incident is just another fruit ripe for the picking as far as malware writers are concerned. So it comes as no surprise that the creators of rogue antivirus or misleading application software have already jumped on the bandwagon and attempted to poison web search...