Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Malicious Code
Showing posts in English
Rebuking the New School
Mat Carter | 28 Feb 2007 08:00:00 GMT | 0 comments

As any regular reader of security industrynews will tell you, over the past few years the quality that is mostprized by malicious coders is stealth. Loud, reputation-enhancingattacks are strictly for the teenage malcontents of a previous century.Today’s malicious coders are professionals who prefer a more commercialmodel, which aims to compromise as many machines as possible, asquietly as possible, with the minimum amount of effort—and they areadopting increasingly diversified tactics to this end.

Older malicious code tended to rely on the static hosting of themalicious payload and this was always susceptible to filtering andtargeted action from law enforcement. Consequently a trend developed totry and keep the payload moving and hard to shut off using fast fluxDNS techniques, or to store it on "bullet proof" hosting from providersthat usually ignore complaints. However, the Security Response team hasrecently noticed a simpler approach that can be utilized...

Read more
Fake Archiver Product Found in Korea
Masaki Suenaga | 26 Feb 2007 08:00:00 GMT | 0 comments

A fake installer for the Korean version of ALZIP – a commercial archiver application and a component of the ALTOOLS series created by ESTsoft Corp – was recently discovered, which Symantec detects as Trojan.Dropper.

When the fake installer is executed, it displays the same window as the genuine application and then installs the genuine archiver. During installation, it drops another executable file, which in turn drops Backdoor.Trojan and Hacktool.Keylogger. These two files are hidden by a third dropped file detected as Hacktool.Rootkit.

The rootkit does not hide the files in Safe Mode however. The files are:
%System%\yoorycom.d1l
%...

Read more
Not-So-Fun Video Postcard
Eric Chien | 26 Feb 2007 08:00:00 GMT | 0 comments

A variety of bulletin boards are being spammed with the message to visit mailfreepostcards.com (don't visit that domain!) for a fun video. However, when visiting that site, users are prompted to download an executable. Message board spam is nothing new, but what is different about this message board spam is the spam text is actually integrated into legitimate messages posted by real users.

Posters are infected with an updated version of Trojan.Mespam, which is downloaded by Trojan.Peacomm. This threat has the ability to watch all your network traffic via a layered service provider (LSP) and when it notices you posting to a bulletin board, it modifies your posting to include the spam text.

Trojan.Mespam can not only inject text into...

Read more
Friendly advice from your peer?
Shunichi Imano | 24 Feb 2007 08:00:00 GMT | 0 comments

In last Friday's blog titled Hello Screen Saver, Sayonara Files, we reported about Trojan.Pirlames, which can be obtained through peer-to-peer file-sharing networks.

Today, we found a couple of similar Japanese Trojans; Trojan.Haradong.B and Trojan.Pirlames.B.

Trojan.Haradong.B masquerades as a Windows screen saver file or .avi file with the following file names:

...

Read more
Where Are All the L4m3rs?
Liam O Murchu | 23 Feb 2007 08:00:00 GMT | 0 comments

Mirror, mirror on the wall, who is the lamest of them all? The attacker behind this scheme hopes to find out where all the l4m3rs are (his words not mine). In a classic social engineering attack, customers have been reporting that they have received an unusual piece of spam recently.

The mail is supposedly from a hosting or collocation company and says something along the lines of this:

Dear COMPANYNAME Inc. Valued Members,

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your Web sites, please use the attached file and (for UNIX/Linux Based servers) upload the file "guard.php" in: "./public_html"
or (for Windows Based servers which use ASP) upload the file "guard.asp" in: "./wwwroot" in your site.
[instructionsincluded]
Thank you for using our services and products. We look...

Read more
Hello Screen Saver, Sayonara Files
Hon Lau | 23 Feb 2007 08:00:00 GMT | 0 comments

Today we received samples of a Japanese Trojan called Trojan.Pirlames, which masquerades as a Windows screen saver file. This Trojan is likely to be spread through file-sharing networks such as Winny, which is highly popular in Japan. We have seen the following file name being used so far:

Master of epic the animation age OP∩+ Miracle Episode I (MP3 128kbps ⌠-⌠TΓWΓΓΓPΓbΓg≥t).zip[MANY SPACE CHARACTERS].SCR

When executed, the Trojan will display an image that warns the user against the use of Winny. One example contains a message that roughly says: "Even though Mr Kaneko (Creator of Winny) was found guilty, you are still using Winny. I really hate these kinds of people."

p2.jpg...

Read more
Where Phishing and Malware Meet
Zulfikar Ramzan | 21 Feb 2007 08:00:00 GMT | 0 comments

n this blog entry, I’ll talk about where malicious software (or malware) can find its place within the lifecycle of phishing attacks. This material accompanies a recent panel I participated in during the American Association for the Advancement of Science Annual meeting. If you attended the panel, this blog will review the points I made. If you missed the panel, then hopefully you’ll get a sense for what I covered.

Phishing: Overview and Motivation. Recall that a phishing attack is one where some illegitimate entity sends you an email posing to be a legitimate entity, like a bank or credit card company. Their goal is typically to get you to click on a link in the email, which directs you to a Web site that appears to be that of the legitimate entity. You are prompted to enter sensitive information, and from that point onward, the information is in the hands of an attacker. Not only can he or she wipe your accounts clean, but that information can then be used...

Read more
Emperor Entertainment Group Web Site Hacked
Symantec Security Response | 12 Feb 2007 08:00:00 GMT | 0 comments

Emperor Entertainment Group: From sex photo scandal to Web site being hacked, key word: protect the data on your hard drive.

It's probably not the best way to advertise privacy protection, butit's indeed something that should ring a bell for those who leave theirportable devices unattended or unsecured.

Rumor has it that Edison Chan, the popular celebrity from Hong Kong,had data stolen from his personal laptop. Now under normalcircumstances, this would be bad enough. However, it turns out Mr. Chanhad taken hundreds of pictures and videos of over 14 female celebritiesin various states of dress and involved in various sexual acts, andstored this data on his computer. The stolen data has since spreadquickly over the Internet.

Earlier today the Emperor Entertainment Group's Web site - the groupthat several of the victims have contracts with - was hacked by someonecalling themselves "blspi" with the following message in Chinese, "...

Read more
Love is in the Air....
Orla Cox | 08 Feb 2007 08:00:00 GMT | 0 comments

Today has seen another large-scale spamming of Trojan.Peacomm, aka the "Storm Trojan". With Valentine's Day approaching, this time around the authors are attempting to tug on the heartstrings of unsuspecting users with romantic subject lines such as "My Heart belongs to you" and "Together You and I". The mail body is empty and the attachments have the usual names of "Greeting Card.exe", "Postcard.exe", and "Greeting Postcard.exe".

The Trojan is much the same as we've seen before, the only difference being that the authors have used a modified packer in an (unsuccessful) effort to evade detection by AntiVirus vendors. These latest samples are proactively detected as Bloodhound.Packed.13 with Rapid Release definitions dated 02/07/2007 (revision 54). Definitions dated 02/08/2007 (revision 25) and later will...

Read more
They Are Out to Get You
Candid Wueest | 07 Feb 2007 08:00:00 GMT | 0 comments

If you live in a German-speaking region, then you might have received one or two strange emails last month, which were unlike the huge amount of regular spam often seen. The first type of odd email was multiple instances of alleged invoices that were sent as email attachments by local ISPs or other service providers. The disguised attachment had a .pdf.exe double extension, which was not an invoice document at all, but a Downloader. Some people thought it was a scam asking for payment for a service that was never received (which was not true in this case), but even so the decision to immediately delete the email was the right choice.

At the end of January, another strange email made its rounds. This one claimed to come from the Bundeskriminalamt (BKA), the federal police in Germany. The email text mentioned charges against the user for downloading illegal movies and software and referred to the attachment as a fax form for statements that had to be completed as soon as...

Read more