Video Screencast Help
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Joji Hamada | 07 Apr 2007 07:00:00 GMT | 0 comments

In Japan, April is the first month of the fiscal year and is alsothe time of year when large numbers of high school and collegegraduates join the workforce. These new hires usually go though intensetraining in the first few months at their respective companies beforebeing assigned to their new posts. Well, these companies had betterplan to quickly take them through a crash course on security inaddition to the normal training, because there is new targeted attackthat takes advantage of a zero-day vulnerability in Justsytem'sIchitaro, the word processing program most widely used in Japan.

The attack – a specially crafted Justsystem Ichitaro document employing the zero-day exploit, which Symantec detects as Trojan.Tarodrop.C,allows a Trojan horse to be dropped onto the target computer. Thedropped Trojan horse then takes over and drops a downloader Trojan...

Chen Yu | 05 Apr 2007 07:00:00 GMT | 0 comments

For a long time if you visited a Chineseantivirus forum you see people crying that they are infected withGraybird. There are two popular topics in Chinese forums that representthe two sides of the coin: Guides to deploy Graybird on the one handand tips to get rid of it on the other.

So what is Graybird and how did it get started? Graybird was firstcreated in 2001. Initially it was for research purposes and was opensource. From early 2003 the author set up Gray Pigeon Studio thatdeveloped and sold Graybird. The studio stated that Graybird is aremote administration tool and sold it for 100 Chinese Yuan a year.Functions of this so-called remote administration tool include:
• Capture screenshots
• Turn on a Webcam
• Log keystrokes
• Steal passwords
• Access all files on the victim's machine

Unlike other remote administration tools, it apparently tries to runwithout the user’s knowledge; it does not display an icon or output anymessages while...

Peter Ferrie | 05 Apr 2007 07:00:00 GMT | 0 comments

On Wednesday morning, we received anonymously a copy of the first "iPod virus", which we call Linux.Podloso(renamed from Linux.Noslo), a play on the virus author's name of"Oslo". Although this virus is designed to run on iPod Linux, there isnothing iPod-specific in the virus code, so it is not an iPod virus. Itis just another proof-of-concept Linux virus.

"iPod Linux" is a software project that allows a user to run adifferent operating system, Linux, directly on an iPod. So, when theiPod is switched on, the user sees a Linux interface instead of theusual Apple interface. This virus runs within that particular Linuxframework and infects the files that are part of that operating system.

The virus arrives as a file called "" and it infectsspecific iPodLinux files on the compromised device. To infect an iPodwould require a user to...

Zulfikar Ramzan | 03 Apr 2007 07:00:00 GMT | 0 comments

At the recent Shmoocon conference, Billy Hoffman of SPI Labsdescribed a tool he built called Jikto. This tool can scan a Web sitefor different types of Web vulnerabilities. In the hands of a good guy,the tool can point out holes, which can then be fixed. In the hands ofa bad guy, the same tool can be used to find holes, which can then beexploited.

One remarkable aspect of Jikto is that it is written entirely inJavaScript. That means it can be executed in a Web browser (and alsothat it is more-or-less platform independent – with the ability to runon Windows machines, Macs, Linux boxes, etc.) Also, if an attackercreates a Web page that includes the Jikto code, then anyone who visitsthat Web page can effectively run a vulnerability scan on an entirelyseparate Web site. The results of that scan can be reported back to theattacker. On the other hand, from the victim’s perspective thevulnerability scan will not be traced back to the attacker. Insteadthey will point to the perhaps...

Amado Hidalgo | 01 Apr 2007 07:00:00 GMT | 0 comments

I wish I could have some humorous comment or a joke to mark the day. Unfortunately I have something more serious to write about.

Symantec Security Response has detected a new worm in the wild: W32.Fubalca.It infects executables and HTML-type files, inserting links tomalicious Animated Cursor files, and exploits the currently unpatchedMicrosoft Windows Cursor And Icon ANI Format Handling Remote BufferOverflow Vulnerability (BID 23194) to download further copies of the worm.

The worm infects executables on all drives (including removabledrives), except for the drive that Windows is installed upon (e.g.C:\). As well as exploiting the vulnerability, the worm appears tospread through removable drives and already-mapped network shares.

The malicious Animated...

Orla Cox | 29 Mar 2007 07:00:00 GMT | 0 comments

Technologies come and go, but socialengineering remains the most popular technique used to propagatemalware. This tried and trusted method has been around since theLoveletter days, and malware authors don't seem to be giving up on itjust yet. This year we've seen Trojan.Peacommin a number of guises – from videos of current news stories topostcards from loved ones. However, the one "disguise" that we see mostconsistently is in the form of the humble invoice.

Recently, we've seen a spate of malware circulating (in Germany inparticular), masquerading as various invoices. The year started with aspam run of Trojan.Schoeberl.Epurporting to be a bill from German ISP 1&1. Since then, we've seenmalware disguised as bills from a variety of firms such as Ebay...

Hon Lau | 28 Mar 2007 07:00:00 GMT | 0 comments

Following the arrest of Jun Li (creator ofthe W32.Fujacks or "Panda" worm) by the Hubei Police on February 3rd,the police promised to make an example of the virus author. To thatend, the police announced in early February that they were going tohave the virus creator write a program to remove this virus and repairthe damage done by it.

On March 27th we obtained a copy of the removal tool created by Li.Naturally we were curious about the effectiveness of the tool againstthe variants of the threat that were found in the wild.

When the tool is executed, the user is presented with a message from Li himself:


The message contains an apology and an explanation that he createdthe worm for research. He ends with a warning to beware of futurethreats (from others), and to take the necessary precautions. Li alsoacknowledges that...

Eric Chien | 16 Mar 2007 07:00:00 GMT | 0 comments

One of the principles behind malware is that it follows technologyand mainstream culture. If ninety percent of the world was using theEricOS, the vast majority of threats would be designed to run on theEricOS because otherwise the threat would have nothing to infect.

In China, online computer usage patterns affect the types of malwareSymantec sees there. In particular, if you walk into an Internet cafein China, rarely do you see people using search engines like Google oron Web sites like MySpace. Instead, the vast majority of people haveheadphones on and are playing online games such as Lineage or World ofWarcraft.

Thus, Symantec sees a lot of Infostealers that attempt to stealcredentials for these types of online games. Once credentials arestolen, the hacker logs into the account, steals the virtual items, andthen attempts to sell them for real money through various boardsoutside the virtual gaming world.

An example of this threat is Lingling (...

Peter Ferrie | 15 Mar 2007 07:00:00 GMT | 0 comments

Pop quiz. What do all of these viruses have in common?

- Shrug (2001)
- OU812 (2001)
- Chthon (2002)
- EfishNC (2002)
- Gemini (2002)
- EfishNC.B (2002)
- JunkMail (2002)
- Pretext (2002)
- EfishNC.C (2002)
- Conscrypt (2003)
- Croissant (2003)
- JunkHTMail (2003)
- Shrug!IA64 (2004)
- Shrug!AMD64 (2004)
- Shrug!IA32/AMD64 (2004)
- Macaroni (2005)
- Macaroni.B (2005)
- Macaroni.C (2005)
- ACDC (2005)
- Charm (2005)
- JunkMail.B (2005)
- Hidan (2005)
- Screed (2006)
- Starbucks (2006)
- Boundary!IA32 (2006)
- Boundary!AMD64 (2006)
- Idiotic (2006)
- MachoMan!IA32 (2006)
- MachoMan!PPC (2006)
- Stutter (2007)

Apparently, they are all written by the same person, a virus writerwho goes by the name of roy g biv. (Please note that the names aboveare the names given by the virus writer.) The question, though, is howlikely is it that...

Liam O Murchu | 08 Mar 2007 08:00:00 GMT | 0 comments

A threat that we see very frequently in the lab is the back doornamed Backdoor.GrayBird or Backdoor.HuiPigeon. Today, I will shed somelight on this back door both to show how easy it has become to create apowerful back door with a rich feature set, and also to show why we seeso much of this particular back door.

Backdoor.Graybird gets its name from the Chinese company that makesthe product, which translates to Gray Bird. It is a commercial Chineseremote access tool that sells for about $100 for a 100 user license. Itcan be configured to run silently on the victim's machine and isnormally distributed via email or via drive-by downloads. (If sent viaemail, the user still needs to execute the file.) It can be packed tomake each sample unique and, most recently, NsAnti has been the packerof choice.

Backdoor.Graybird is very popular in underground Chinese hackingforums partly because it is all written in Chinese, so it is easilyunderstood, and also because...