Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Malicious Code
Showing posts in English
Not Such a Cute Bird
Liam O Murchu | 15 Nov 2006 08:00:00 GMT | 0 comments

While analyzing a sample of W32.Graybird recently, I noticed a request for a picture from a well-known photo hosting site. The picture was of a cute fluffy bird (not gray, though) ;-) holding a bunch of roses (see below). The request seemed unusual and caught my attention.

bird2.jpg

Why was a back door connecting to a photo hosting site and requesting a picture like this? We often see threats connecting out for what appears to be a picture, but what is downloaded is actually an executable. In this case, it really was a picture that was downloaded. In other cases, the downloaded picture may contain executable code hidden within it, but here there was no executable code found inside either.

Upon closer inspection, a URL was found appended to the end of the image. The Graybird sample was downloading the image and...

Read more
Handling Today's Tough Security Threats: Rootkits
Mimi Hoang | 02 Nov 2006 08:00:00 GMT | 0 comments

Rootkits are on the rise! We define a rootkit as a component that uses stealth to maintain an undetectable presence on a computer. Above and beyond that, the actions performed by a rootkit are done without end-user consent or knowledge.

Open source offers ready-to-use rootkit applications that are widely available to anybody using the Internet. Even an inexperienced rookie would be able to use a rootkit without having to understand how it works. These hi-tech criminals are money hungry and want to hide their actions and presence on any system they get on. Rootkits are perfect to help them commit fraud and identity theft by granting the attackers unauthorized access to privileged and proprietary information, and launching and hiding other malicious applications on the system. Above all, it leaves the hi-tech criminal with a back door to be able to continue to harm the victimized machine. As well, a large proportion of spyware and adware programs that use...

Read more
Do the Macarena!
Peter Ferrie | 02 Nov 2006 08:00:00 GMT | 0 comments

We received a virus on Thursday morning that parasitically infects OSX Mach-O format files, without relying on resource forks. It's called OSX/Macarena. If you have read the OSX/Leap paper from this year's Virus Bulletin conference, you will have seen some suggestions about possible infection methods. Those suggestions were all ignored by the virus author in this case. Instead, the virus writer has found a rather unexpected region of memory in which to place the code, along with a way to gain immediate control when an infected file is executed. There is no payload in this virus—it simply replicates. However, it won't replicate very well, because it is restricted to the current directory. On Windows systems it is common to have directories like "Windows" and "Windows\system32" full of executable files; but, files aren't stored like that on OSX systems....

Read more
Why didn't I think of that?!
Patrick Fitzgerald | 20 Oct 2006 07:00:00 GMT | 0 comments

Many of the new threats seen today aren’t advancements in their own right; rather, they just take advantage of advancements in technology. For example, VBScript enables programs to be written quickly, but also makes writing malware extremely easy. Remember VBS.LoveLetter, also known as the “I-Love-You” worm? This was a mass-mailing worm that ultimately ended up causing millions of dollars worth of damage because of crashed servers, not to mention the punitive damages caused by files being overwritten. While VBScripts gave administrators the ability to perform more robust tasks via scripting, developers need to be aware of the possible detrimental effects of these new technologies. For example, after VBS worms became widespread, Microsoft forced user consent before a script could harness Microsoft Outlook to send itself, thereby neutering that attack vector.

Another seemingly innocuous feature has been extremely useful to some malware writers. The advent of...

Read more
Gromozon Evolution: From Spaghetti to Lasagna
Elia Florio | 19 Oct 2006 07:00:00 GMT | 0 comments

Since we last talked about Trojan.Linkoptimizer (a.k.a. Gromozon) and the Italian Spaghetti saga, there have been some significant developments. What we had originally dubbed "spaghetti threats" now look much more like multi-layered "lasagna threats". Several new features and improvements were integrated into the latest incarnation of this Trojan by the authors, who are probably getting paid well for all of their efforts.

How do users get infected with Linkoptimizer/Gromozon variants? We noticed that the complicated distribution scheme of Trojan.Linkoptimizer (shown in Figure 1) introduced a few significant changes, compared to the original scheme of the previous blog article. Here are the new...

Read more
W32.Rajump: Playing on an iPod near you?
Orla Cox | 18 Oct 2006 07:00:00 GMT | 0 comments

Closely following McDonalds' trouble with infected MP3 players, Apple has now confirmed that a small number of Video iPods were shipped with malware onboard. According to an announcement on the Apple support site, Video iPods purchased after September 12th could potentially contain a copy of W32.Rajump. Like W32.Pasobir, the worm found on the McDonalds MP3 players, it too has the ability to copy itself to removable USB drives. Apple is recommending that users run an antivirus scan of their Video iPod before use.

Apple is quick to point...

Read more
Would you like a virus with that?
Orla Cox | 17 Oct 2006 07:00:00 GMT | 0 comments

McDonalds' customers in Japan recently found themselves exposed to a worm infection when MP3 players, offered as a prize in a drink promotion, were found to contain a worm called W32.Pasobir. This isn't the first time we've seen hardware devices and media accidentally shipped with malware. One of the more famous incidents occurred back in 1998, when the W95.Marburg virus was accidentally shipped on some game CDs, including CDs offered free with gaming magazines. More recently (again, in Japan) hard drive manufacturer I-O Data accidentally shipped a number of hard disks containing a back door Trojan horse. In most circumstances the malware itself is old, in which case any up-to-date antivirus program should prevent infection...

Read more
Virus Writers Narrow Their Focus
Peter Ferrie | 06 Oct 2006 07:00:00 GMT | 0 comments

“Garry’s Mod” is a fairly popular modification add-on to the first-person shooter game Half-Life 2. Garry’s Mod doesn’t actually contribute any benefits to the game play, but it allows Half-Life 2 players or enthusiasts to modify objects and/or features in the Source engine, which is the 3-D gaming engine used to run Half-Life 2. Lua scripting has also been added to Garry’s Mod to allow players to create personalized game modes and weaponry. Of course, along with the introduction of Lua scripting support to Garry's Mod comes the predictable appearance of Garry's Mod-specific Lua viruses. So far, all of them simply copy themselves into a specific location and add a reference to themselves in the startup list.

Corresponding with the appearance of the virus scripts was the appearance of antivirus scripts. Unfortunately, some of those antivirus scripts are themselves viruses—the classic and misguided "spread to all...

Read more
The Importance of Updating Antivirus Definitions
John McDonald | 02 Oct 2006 07:00:00 GMT | 0 comments

It is often said that an antivirus (AV) product is only as good as its most recent signature update; however, that's not strictly true. Even if your AV definition set is months out of date, it will still protect you from some of the worst viruses and worms of all time: Mydoom, Netsky, Bugbear, Sasser, Klez, Sobig, and Nimda, for example. On the other hand, the statement does hold some truth. While an AV product won’t protect a computer from every new threat right from the moment that threat is unleashed into the wild, most AV companies are very quick to add protection for new threats and make that updated protection available to their customers—usually within hours. Given that most threats spread relatively slowly (with a few notable exceptions, such as Slammer (W32.SQLExp.Worm), but that only affected certain systems running specific software), the...

Read more
Infostealer goes to Hollywood!
Andrea Lelli | 26 Sep 2006 07:00:00 GMT | 0 comments

We have seen malicious code steal a lot of information in the past: bank credentials and certificates, email accounts, IM passwords, online gaming accounts; but, that was not enough! Now, satellite shared accounts are going to have a turn.

There is a service out there called "cardsharing" that allows you to use the subscription rights of one satellite smartcard on multiple satellite receivers. Using this service, the receivers download the smartcard key information from the Internet or a LAN instead of the original smartcard, which will allow simultaneous viewing of satellite television on several receivers.

A cardsharing user needs to install a couple of computer programs on their local hard drive (WinCSC and ProgDVB), which store a configuration file containing the legitimate account data required to access the satellite service. All of the information is stored in plain text format and the configuration file contains the username and...

Read more