Video Screencast Help
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Nicolas Falliere | 27 Oct 2009 04:06:33 GMT

Clampi goes to unusual measures to bypass the local firewall on the compromised computer, such as the Windows Firewall. Usually, such firewalls allow only specific programs to communicate using specific ports and protocols. For instance, your browser would be allowed to use outbound TCP port 80.

As we’ve previously discussed, Clampi needs to communicate with a “Gate” gateway server in order to get its orders and send information. Any firewall would block the program if it tried to connect to the outside world. Bypassing this can be done in many ways, the most common one in the malware world being to add an entry in the Windows registry, added the program to the trusted file list.

The Clampi gang decided to inject their networking code into Internet Explorer, which is granted Web access by any standard firewall configuration out there. Fair enough—that’s another approach, but not a new one. Yet you’ve seen these guys don’t do...

Nicolas Falliere | 23 Oct 2009 08:20:58 GMT

Today, we’ll discuss the two remaining Clampi modules used for replication and traffic relay capabilities. The SOCKS module is very straight-forward—it’s a SOCKS proxy server. Normal SOCKS proxy servers act as a connection relays and are used for many purposes, such as connection filtering, passing traffic through firewalls, or to maintain anonymity.

The server’s code is injected into an instance of Internet Explorer. It then listens for incoming connections on a random TCP port above 5000. The SOCKS module is activated in response to a control server’s command. The client then sends the port it’s listening on for inbound connections to the proxy server:


In the above example, the SOCKS server will be listening to port 38329 (which is 0x95B9 in hexadecimal base).

Usually, relay servers like this one expect authentication from the...

Nicolas Falliere | 20 Oct 2009 15:40:27 GMT

This chapter in our Clampi saga brings us back to the malware’s logging facility. As we saw before, one of Clampi’s modules, codenamed LOGGER, is responsible for logging outgoing information going to a determined list of URLs – stored in a data file as CRCs.

One problem arises with banking sites that preprocess the user’s personal information before sending it over HTTPS—it’s done using client-side JavaScript.  For instance, a hash of the input PIN number could be sent instead of the PIN number itself. This mechanism adds an extra layer of security, preventing malware from sniffing network traffic at one end of the SSL tunnel. But still, it’s only covering one end. It’s more secure than no encryption, but still not great. At least two methods exist to get around this:

  • Setting up a keylogger using either software (...
Nicolas Falliere | 16 Oct 2009 16:00:11 GMT

Let’s continue our Trojan.Clampi blog series by discussing three more modules downloaded and executed by Clampi. These modules share the common goal of gathering information, private or not, contained on the compromised computer. They don’t intercept network traffic like the Logger module does (described in my previous blog).

The PROT module
This module gathers private information from several sources, including Protected Storage (PStore), which contains user credentials stored by Internet Explorer or Outlook for instance. Interestingly, it also sets specific registry values in order to facilitate the creation of new entries in the PStore.
For instance, it sets the following registry entires:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet...
Hon Lau | 14 Oct 2009 19:43:52 GMT

Over the past few days a sustained email spam campaign has been running to distribute new Zeusbot variants. Initially the campaign kicked off with a story from “your administrator” about some server upgrade that requires you to download and execute a patch to ensure that your computer continues to work properly:
Subject: Important - Read Carefully
Email Body:

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.

This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file
and then to run it from your computer...

Gilou Tenebro | 14 Oct 2009 11:25:26 GMT

Trojan.Bredolab is a threat that has been distributed widely and consistently this year. This research paper takes a closer look at the Trojan to discover how it works, why it’s so widespread, and the motivations behind it.

In short, Bredolab is distributed by spam emails and drive-by-download attacks. (In fact, last month we blogged about a wave of spam emails used to distribute it.) Once it’s on a computer, Bredolab downloads and installs a variety of other threats. This process is outlined in the following diagram.

We have seen Bredolab downloading password stealers, bots, rootkits, backdoors, and misleading applications.  Some...

Symantec Security Response | 13 Oct 2009 14:35:50 GMT

Malware authors often leave hidden messages in files for analysts to find or for other malware authors to see. However, finding a curse on my whole family in a flash exploit file came as somewhat of a surprise!

The file in question was being distributed on the Internet circa June of this year and was being hosted on some Chinese domains. After decompressing the file and extracting the ActionScript I saw some Chinese characters used within the script. I don’t speak Chinese myself, so I had one of our engineers who does translate the message:

This roughly translates to:

“Dadong declares that: This file is used only for internal technical research, if you decrypt it your whole family will die, if you use it as a part of a Trojan your whole family will die also! If you use this file illegally you take responsibility for all results.”...

Nicolas Falliere | 12 Oct 2009 17:01:37 GMT

As mentioned in our previous blog entry, most of the Trojan.Clampi features reside in separate modules that are sent by a remote server in response to clients’ queries. In this part of this blog series, we’ll have a look at one of the modules used by the malware to steal login credentials mostly from banking Web sites.
This module is codenamed LOGGER by the threat. After decryption, the beginning of the module’s raw data looks like this (compressed):


To avoid downloading the module each time Clampi runs, it is stored in the registry (in an encrypted form) in a value named “Mxx”, where “xx” is a zero-based number...

Peter Coogan | 07 Oct 2009 21:00:54 GMT

We thought it might be interesting to provide some additional information on the Butterfly bot kit, following our blog published last week entitled The Mariposa Butterfly. We posted that blog in response to a report that half of the Fortune 100 companies have been compromised by a botnet dubbed Mariposa (Spanish for "butterfly"). The Butterfly bot kit's creator, known as Iserdo, markets the following features of the bot kit in the user manual supplied with the kit (the below snippet is taken directly from the user manual):

a) Features of bot base

1. Polymorphic code and strings
    code related to bot functionality is encoded
    everytime with different key, same goes for
2. Installation into hidden location
    installs into location where it is impossible
    to access with...
Nicolas Falliere | 06 Oct 2009 15:45:37 GMT

Trojan.Clampi is one of the hottest malware around, and as such, received a fair amount of media coverage, as well as technical reports describing some of its functionalities. As part of our ongoing blog series, we will be discussing interesting and rarely presented aspects of Clampi. Today, we’ll introduce an important aspect of Clampi: the network communication.

First of all, if you’re not familiar with this malware already, Clampi is a Trojan horse whose main purpose is to steal private information: user passwords, login credentials, software licenses, credit card numbers, bank account information, etc. Note that Clampi’s operations are performed by helper modules, downloaded by the main executable, and stored in the Windows registry.

Once the threat is installed on a computer, it connects to one of the gateway servers listed in the registry value “GatesList...