Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Symantec Security Response | 19 Dec 2006 08:00:00 GMT | 0 comments

A new worm has been discovered that targets Skype, the voice-over-IP (VoIP) telephone application. The worm uses the Skype Control API to send text chat messages containing a malicious link to other Skype users. We highlighted the possibility of the Skype API being used as infection vector for malicious code in a blog article in May of this year:

However, in this case the security measures implemented by Skype have not been bypassed programmatically. Instead, the worm pleads with the user via a pop-up message box to "Allow this program in skype."


On a live system, the user will receive this pop-...

Peter Ferrie | 18 Dec 2006 08:00:00 GMT | 0 comments

SecuriTeam recently ran a Code Cruncher competition. The idea was to create the smallest possible Windows executable file that could download an arbitrary file from the Code Cruncher site.

While the final results are not in yet, one entry at 210 bytes (including the length of the URL) looks set to be the winner. Why? Because it executes entirely from within the PE header. That's right - there is no code outside of the file header, only strings, such as the URL. Even more amazing, those strings are encrypted. The decryptor fits into the PE header, along with the downloader code.

Here's a sanitized version of it (the relevant code and URL have been replaced):

Malware that can travel in one network packet, even smaller than CodeRed...

Mimi Hoang | 14 Dec 2006 08:00:00 GMT | 0 comments

Rustock, also known as “Spambot”, is a family of back door programs with advanced user and kernel mode rootkit capabilities. Rustock has constantly been in development since around November, 2005. Rustock is a tough threat to combat because of its approach of combining multiple evasion techniques to remain undetected by commonly used rootkit detectors, such as Rootkit Revealer, IceSword, and BlackLight.

To start with, Rustock is downloaded from remote Web sites that host Web browser exploits and is then installed on unpatched computers. Along with the Rustock threat, a downloader will download other malicious code and even a misleading application, Spy Sheriff.

The second version of Rustock, named Rustock.B, employs even more sophisticated techniques than its predecessor – the original Rustock.A. Its advanced rootkit techniques,...

Eric Chien | 06 Dec 2006 08:00:00 GMT | 0 comments

In 2004, I spoke at Virus Bulletin about a new technology that at that time was known as Monad. Monad has since received an official name of Microsoft PowerShell and recently has been released for Windows XP and 2003 Server, with Vista versions following in January, 2007. PowerShell is a new command line shell, like cmd.exe, but much more powerful.

In 2004, PowerShell was still in its early beta stages and was originally rumored to be shipping in default with Vista. I examined the robust features of PowerShell and demonstrated that a variety of malicious code types were possible – including viruses, worms, and Trojans – using PowerShell. More worrying was that this new language (and platform) was a scripting language and it had the possibility to follow in the footsteps of Melissa and LoveLetter. In addition to their clever social engineering, those threats...

Orlando Padilla | 01 Dec 2006 08:00:00 GMT | 0 comments

The long anticipated Windows Vista operating system is finally out the door and as anyone would agree, it’s celebration time at Microsoft. But, let’s discuss what we are in for with a peek at the default user environment on the 32-bit platform.

Symantec Advanced Threat Research decided to conduct an analysis of Windows Vista’s security enhancements provided by the user account control (UAC) and resulting new security barriers. No formal requirements were defined, although a few guidelines were set to stay organized; gather a sample set of malicious code, execute them under the default UAC environment, and carefully determine their success. The results were then broken down into three categories:
1) Successful execution of malicious code
2) System restart survivability
3) Failed execution of malicious code, and why

There are two important prerequisites in place to establish fair play practices:
1) All malicious code must be executed under the...

Elia Florio | 30 Nov 2006 08:00:00 GMT | 0 comments

In a letter to the editor of CrossTalk magazine, “Rubey” of SofTech Inc. exhorted developers to “go beyond the condemnation of spaghetti code to the active encouragement of ravioli code.” It was 1992 and the "pasta theory of programming" was officially born. Since we first talked of the “spaghetti code” used by Trojan.LinkOptimizer, at least one blog reader has asked for more details about it, so I decided to post a brief explanation and a visual demonstration of what is exactly spaghetti code is.

Programmers talk about spaghetti code when a program has a complex and tangled control structure that uses many jumps (GOTOs) or other unstructured branching constructs. Now, take a second to solve the following visual quiz. Look at the images below, which show three different graphs generated by IDA Professional (a well-known disassembler program). Each graph is the result of the analysis of the function flow of an executable...

Symantec Security Response | 28 Nov 2006 08:00:00 GMT | 0 comments

Symantec has confirmed the existence of a new worm called W32.Spybot.ACYR, which takes advantage of several Microsoft vulnerabilities. The worm also attempts to exploit a previously addressed vulnerability in Symantec Client Security and Symantec Antivirus, SYM06-010; patches for the particular Symantec product vulnerability have been available since Thursday, May 25, 2006. As a result, customers who have applied the patch in their environment are unaffected by the worm’s attempt to leverage the Symantec vulnerability for an attack. Customers running Symantec Client Security or Symantec intrusion prevention (IPS) capable products are protected against all known and unknown exploits of SYM06-010 via IPS signatures released on May 26, 2006.

At the present...

Mimi Hoang | 23 Nov 2006 08:00:00 GMT | 0 comments

We have recently seen an increase in the number of zero-day exploits, which indicates that attackers are being more methodical in their discovery and use of software vulnerabilities. A zero-day exploit occurs when a software flaw is only discovered after it is already being exploited in the wild (and there isn’t a patch available from the vendor).

The “window of exposure” is the time frame during which users of vulnerable software will be at risk. This is calculated as the difference in time between when a vulnerability is exploited and when a patch is made available. The average window of exposure from the first six months of 2006 was 28 days – a dangerously large window in which systems and users are at risk. Average time to develop a patch – Time to develop exploit code = window of exposure (31 – 3 = 28 days).
While vendors continue to make strides and reduce the amount of time it takes to release a patch, attackers seem to be staying one step ahead of...

Patrick Fitzgerald | 22 Nov 2006 08:00:00 GMT | 0 comments

Malware is becoming increasingly complex. Take Rustock.B for example: this threat goes above and beyond to prevent analysis and detection. A blog article is probably too small of a space to describe everything Rustock does technically, but you shouldn’t be surprised, considering its complexity, that Rustock has a clear financial motive. In particular, apart from hiding itself with advanced rootkit techniques, the primary goal of this threat is to send a lot of spam. Because we capture spam such as this, it allows us to update our email security products, such as Brightmail AntiSpam. In addition to pharmaceuticals, mortgages, and imitation product spam, Rustock has also sent stock-based spam. Stock-based spam usually consists of some random text, followed by an image, followed by more random text. Below is an example of one of the stock-based...

John Canavan | 20 Nov 2006 08:00:00 GMT | 0 comments


In the early part of this year, W32.Blackmal.E@mm and OSX.Leap.A received near blanket coverage from the technical media. W32.Blackmal.E@mm was a mass-mailing worm with two particular features that ensured it quickly became a focus of attention. When run, the worm would execute a Web-based php script, which was intended to function as an infection counter. Cue the daily tech-blog updates: "Clock ticking for Nyxem virus" (Slashdot), "Blackworm worm over 1.8 million infestations and climbing" (Sunbelt). Even the fancy animated .gifs of a counter shot up from 398,000 to 440,000 in seconds (F-Secure). Couple this with the fact that the worm was programmed to delete files with a number of common extensions on the third of the next month, and there's a storm a brewin': "Kama Sutra worm seduces PC users" (cnet),...