Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Malicious Code
Showing posts in English
From virtual money to real money
Kaoru Hayashi | 21 Sep 2006 07:00:00 GMT | 0 comments

Recently we have seen an increase in Trojan horse programs that attempt to steal online gaming accounts. Massively multiplayer online role playing games (MMORPG), such as Lineage, Ragnarok Online, World of Warcraft, and Final Fantasy are often targeted by these Trojans. What is the purpose of the attacks? Money. Players can trade their virtual money or items used in their game of choice online, at a special market called RMT (Real Money Trading). RMT is run by third parties and is not usually permitted by the official game vendors; however, RMT has become a big market. A recent report stated that RMT has traded more than two billion USD thus far in 2006. So, if attackers can steal gaming account information from compromised computers, they can easily sell virtual money for real money in the RMT market.

Attackers use a variety of methods to install Trojans on compromised computers. One of these ways is to use a Web site. In the past, attackers used to...

Read more
The poor man's rootkit
Hon Lau | 16 Sep 2006 07:00:00 GMT | 0 comments

In a recent blog, I mentioned that Office documents were a great place to hide malware in order to maximize its chances of distribution. This time I want to draw attention to the fact that the Windows Registry is also another handy reference tool for some Trojans, too.

A Trojan will usually drop another copy of itself or a components as part of the installation process to try and throw users off track. So, typically a Trojan would run and as part of its installation process, it would drop a copy of itself using another filename in, say, the Windows System folder and modify the registry to run itself at every restart of the computer.

The goal of any effective profit-making malware is to get installed and run undetected for as long as possible to try and maximize the profit-making window. Many angles of attack and stealth have been explored by malware authors over the years. Some are high tech, as we see with rootkits. Some are low tech, such as in...

Read more
Build-your-own Trojan starter kit
Hon Lau | 31 Aug 2006 07:00:00 GMT | 0 comments

Software engineers, just like any other professionals, are always on the lookout for a faster, better, and cheaper way of getting the job done. In the construction industry you can use pre-cast concrete and timber frames to speed up production. Likewise, in the systems engineering world you can use code generators and CASE tools (and the like) to make things easier. So, it comes as no surprise that malicious software creators have also been building tools and aids to help them become faster and better.

Many years ago, building a useful and profitable piece of malware required a fair amount of skill and knowledge of the systems being targeted for attack. The lack of handy tools, together with a limited target group for the malicious code, made it difficult to make any easy money out of writing malicious code. Unfortunately, those days are long gone. Today, it doesn’t take much skill to produce, distribute, and maintain a large collection of deployed...

Read more
Mass-mailers are dead! Long live mass-mailers!
Hon Lau | 29 Aug 2006 07:00:00 GMT | 0 comments

Currently, exploits are the flavor of the month as far as malicious code authors are concerned. However, in recent days we have seen a few variants of a new mass-mailing worm called W32.Stration@mm successfully spreading on a moderate scale over the Internet. For some time now we have observed fewer and fewer new instances of mass-mailing worms, so it has now become a bit of a novelty to see that somebody is still willing to invest time and effort into creating a worm that uses this method as the primary means of propagation.

Mass-mailing worms have been around for a long time and people have, by and large, learnt to defend themselves more effectively against them. In the fight back, many administrators now block certain attachments on the gateway; some may apply email filtering such as...

Read more
Virus Q&A – W32/W64.Bounds
Peter Ferrie | 28 Aug 2006 07:00:00 GMT | 0 comments

I have posted this blog in order to outline a recent Q&A session that provides more information about my previous blog regarding a new virus affecting the AMD64 platform.

Q. How does the virus function occur (infection, propagation, etc.)?

When an infected file is executed it functions normally; however, when the application wants to terminate (e.g., the user closes it), the virus code is then called. At that time, the virus will seek other files in the directory that contain the currently infected file and all subdirectories below it. Any Windows executable file, regardless of the file extension (i.e., not just .exe files), will be infected if it passes a strict set of criteria that the virus carries.

Q. Is it easily detected and, for that matter, avoided?

No, the detection is not...

Read more
Polymorphism comes to the AMD64
Peter Ferrie | 25 Aug 2006 07:00:00 GMT | 0 comments

We recently saw the first polymorphic virus for the AMD64. It was released by the same virus writer responsible for the development of the first virus for the Intel Itanium platform; I suppose it was only a matter of time before this author began to do some serious research on the AMD64 platform, too.

The AMD64 virus is both polymorphic and entrypoint obscuring. The entrypoint obscuring is achieved in two ways: one is by making an unusual use of the Bound Import Table, the other is by creating a polymorphic decryptor that contains no explicit register initialization (e.g. MOV instructions). The result is that it is not a simple matter to find the true start of the decryptor and to emulate from the wrong place can result in incorrect decryption.

Interestingly, the virus author also created a 32-bit version of the same virus, using exactly the same techniques....

Read more
Gromozon.com and Italian spaghetti
Eric Chien | 24 Aug 2006 07:00:00 GMT | 0 comments

Over the last few weeks we've been tracking attacks coming from Gromozon.com. These attacks have actually been happening for a few months now, but the number of reports has recently escalated. In particular, a variety of Italian blogs and message boards have been spammed with links to hundreds of different URLs over the last week. These URLs all eventually point to gromozon.com and after an extensive trail of code downloading other code, one ends up infected with LinkOptimizer, which dials a high-cost phone number and then displays advertisements when browsing the Internet.

When you visit one of these malicious links, it eventually loads a page from gromozon.com that determines which browser you are using. If you are using Internet Explorer, it attempts to exploit a Internet Explorer vulnerability. The exploit has changed over time, but is...

Read more
IME-Aware infostealer discovered
Masaki Suenaga | 18 Aug 2006 07:00:00 GMT | 0 comments

Traditional key loggers are used to capture key strokes or parameters of WM_CHAR window messages. A key logger is usually good enough to decipher what is input by the user if the language is English, French, Russian, Arabic, Thai and so on. However, people in China, Japan, and Korea often have to input thousands of different kinds of characters, known as Chinese characters, Hiragana and Katakana, and Hangeul, while the PC has only 100 keys on the keyboard. That is why input method editors (IME) exist for these languages.

In order to input one special character through an IME, we need to type between one and six keys. Basically, we type the reading of the string (or parts of Hangeul in Korean) to obtain the converted strings. But, a reading can end up with multiple versions of the converted strings, which requires the user to ultimately determine the converted string. This final string is called the “result string” of an IME. Another IME-related technique...

Read more
Justsystem's Ichitaro zero-day used to propogate Trojan
John Canavan | 16 Aug 2006 07:00:00 GMT | 0 comments

In recent months, we have seen a number of zero-day Microsoft Office exploits used to drop Trojan horses on affected systems. The release of the exploits had been timed so that when Microsoft released their patches, a zero-day exploit surfaced the next day. The timing of these releases was noted by Symantec Security Response and it was speculated that the people behind these exploits had discovered multiple vulnerabilities in Microsoft Office and were holding back on releasing them, in order to maximize the time-to-patch for each of their finds.

Today, we have seen another targeted attack on a document editing suite; however, this time around it is Justsystem's Ichitaro. Ichitaro is a word processing program widely used in Japan.

The malicious document uses a unicode stack overflow to execute its code on the system, dropping and executing a Trojan horse named Backdoor.Papi. When run, Backdoor.Papi copies itself to the %system% directory, creates a service named CAPAPI...

Read more
Back to the Future
Eric Chien | 07 Aug 2006 07:00:00 GMT | 0 comments

While most of the threats we see today are average infostealers or IRC bots, we still regularly receive malware that sits on the fringes of the malware landscape. The fringes don’t only involve threats that run on uncommon platforms; they also include threats that use old school techniques (such as simple file infectors), or threats that are well before their time.

Recently, a virus magazine (it, in itself, an endangered species) was released that had a collection of more than 30 pieces of malware. These different types of malware fell all along the spectrum, but most of them definitely leaned towards the fringes. Some examples of the malware included were:
- a worm that spreads by modifying all the links on a Wiki to point to itself
- a MatLab scripting virus
- a 64bit infector
- a CHM (Compiled HTML) file infector
- a virus for FreeBSD
- more than one threat written in C#
- a virus that infects Microsoft InfoPath files...

Read more