Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Liam O Murchu | 11 Jul 2011 14:15:33 GMT

Once in a while, a piece of malware will come along that grabs headlines. Rarer is malware that is talked about around the water cooler (at places other than Symantec). But the rarest of all is malware that actually makes history. It is for just such a piece of malware that we observe the one year anniversary this month.

Roughly around this time one year ago, a Belarusian computer security company reported finding malicious code designed to exploit a new Microsoft Windows vulnerability, dubbed the .LNK vulnerability. Little did they know this malware would change the world.

The fact that the malware exploited a zero-day vulnerability is significant, but certainly not history making. So, what made this malware so special? After the initial discovery, Symantec’s in-depth analysis of this particular malware ensued. Thousands of man hours analyzing 500 kilobytes of code later, the .LNK vulnerability was shown to be just the tip of the iceberg, and a very dangerous...

Peter Coogan | 06 Jul 2011 17:23:34 GMT

The terms targeted attack, spear phishing, and advanced persistent threat (APT) get bandied around in the media a lot these days. With the spate of recent headlines concerning companies being hacked, every company is on its guard to prevent becoming the next victim—and big headline. One of the major problems associated with targeted attacks is identifying whether or not your company is the actual target of any malware found and not just a random victim of a malware gang. There are several ways to try to do this, such as attempting to find the initial source of infection and analyzing the malware itself. However, attackers are clever and deception is part of their game.

If an attacker’s malware is discovered at any point during the initial...

Mario Ballano | 29 Jun 2011 19:35:24 GMT

We have been taking a close look at Android threats since they first appeared, looking for ways to analyze and classify them, as well as looking at possible attack vectors they may use in the near future. Some of our research has uncovered how Android applications could potentially exploit other installed applications to steal their private information or execute malicious code. In particular, we came across something that resembles Windows DLL Hijacking. Bear in mind that we are not talking about Android vulnerabilities per se, but application-specific issues. We found a few applications in the Google Android Marketplace that were susceptible to this attack and have notified the application developers accordingly.

Android provides APIs that allow an application to dynamically load code to be executed. For example, an application may support plug-ins that are downloaded and then loaded at a later time...

John McDonald | 29 Jun 2011 11:21:58 GMT

A colleague of mine recently wrote about one of the June “Microsoft Tuesday” vulnerabilities being exploited in the wild. Because we're a bit like that, we decided to allow the exploit to compromise one of our honeypot computers so we could observe what happened.

The exploit first came to our attention by way of email messages that were initially sent to a customer and then passed on to us for investigation. These messages were sent from an account hosted on a popular webmail service, contained very bad grammar, and were purportedly sent by a Chinese university student. The emails either asked for advice on a particular topic, or thanked the recipient for a recent presentation and included a question related to that presentation. The emails included a link to a Chinese restaurant and the destination Web page contained the exploit for an Internet Explorer 8 vulnerability:...

John McDonald | 29 Jun 2011 09:03:03 GMT

Our friends at Microsoft recently blogged about a new variant of a bootkit Trojan from the family they call Popureb. The variant, Win32/Popureb.E, introduced a driver component to prevent a malicious master boot record (MBR) and other malicious components from being cleaned.

At least one tech writer was quick to pick up on the implications of the following sentence from the Microsoft blog:

"If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR  using the Windows Recovery Console to return the MBR to a clean state."

Mark Hachman wrote an article for entitled "Microsoft's Answer to Vicious Malware? Reinstall Windows." In the article, Mark refers to a blog post on the Symantec Connect site that...

Cathal Mullaney | 20 Jun 2011 18:05:30 GMT

Backdoor.Bifrose first came to our attention in 2004. It is a remote administration backdoor tool that allows unauthorized access to a compromised computer. Once installed, the malware has a range of capabilities, including:  running processes, opening windows, opening a remote shell, stealing system information (such as passwords, and video game serial numbers), generating screen captures, and capturing video from a webcam, among other functionality. While Bifrose has been analyzed in the past, one of the more interesting features of the Trojan has been neglected or overlooked in most write-ups and analysis of the malware: its optional use of the Tor network. Tor, from the overview on their site:

“Is a network...

Joji Hamada | 17 Jun 2011 08:09:27 GMT

Symantec Security Response has confirmed that the Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Vulnerability is being exploited in the wild. The vulnerability affects Internet Explorer versions 6, 7, and 8; however, the exploit we have acquired seems to only affect version 8. Microsoft has already released patches as part of the MS Tuesday release on June 14, so Symantec advises all users to install the patch. So far, we have only seen limited attacks taking advantage of this vulnerability and believe that the exploit is only being carried out in targeted attacks at present.

We have been able to confirm the existence of one such attack that involves a compromised website hosting content for a neighborhood restaurant. It appears that a duplicate of the top page of the...

Hon Lau | 03 Jun 2011 14:36:55 GMT
W32.Qakbot is a pretty serious piece of malware that’s been doing the rounds since mid-2009. It is one of a family of threats that are consistently causing trouble, constantly being updated whenever new attack techniques or developments arise.  
The threat itself spreads through a number methods; in particular, we have seen it being spread from various websites using old vulnerabilities. Once inside a network, it employs other methods to propagate itself to other computers within the network such as copying itself to removal drives. Qakbot is notorious for stealing information, it collects a wide range of data from infected computers and then uploads it to various FTP accounts. 
We recently published a...
Mircea Ciubotariu | 06 May 2011 07:21:10 GMT

On April 12, 2011, KB2506014 was released to address a vulnerability affecting Windows Vista and later operating systems running on the AMD64 platform. Malware was exploiting the vulnerability to load unsigned drivers and stay resident in kernel mode.

Backdoor.Tidserv (a.k.a. TDL4) is one such threat that is patching operating systems’ loader files on-the-fly in order to ensure that its advanced rootkit capabilities work. As may be expected, Tidserv attempted to work around the KB2506014 patch, as noted in the following code snippets taken from the ldr16 entry of the threat’s encrypted file system:

Here, the hooked int13 (the 16-bit disk operations interrupt) attempts to identify the moment when...

Suyog Sainkar | 07 Apr 2011 16:43:21 GMT

Symantec has blogged previously about spammers exploiting the recent catastrophic situation in Japan. Since then, Symantec has observed additional variations in spam attacks in which the spammers are continuing to exploit the tragedy, even as the earthquake and tsunami relief efforts are in progress. Similar to what we have seen in the past, virus attacks in the form of messages containing links to images in the message body were observed in the third week of March. Such attacks, along with scam emails, are usually prevalent after such disasters have occurred. The subject line and screenshot of a sample message body of the virus attack can be seen below.

Subject: Novo tsunami atinge Sendai e Japao declara estado de emergencia em usina nuclear
[Subject: New tsunami hits Japan Sendai and declares state of emergency in nuclear plant]