Video Screencast Help
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Harshit Nayyar | 17 Jan 2011 14:45:08 GMT

Lest we forget, malware is a software application, albeit a malicious one. And, like any other software application, it can have vulnerabilities that can be exploited.

Our analysis of Trojan.Jnanabot has revealed several serious vulnerabilities. One of the more interesting features of Jnanabot is its custom peer-to-peer (P2P) networking protocol. In other words, its bots are designed to be a part of a P2P network and use a custom-designed protocol for communicating with each other. This ensures that there is no single point of failure and that it is harder to trace the source of the infection and to take the botnet down. While the protocol was designed to provide some degree of robustness to the botnet, it has some flaws that allow anyone (provided they have the right know-how) to exploit them for fun and/or profit. At the very least, these flaws can be used to collect information...

Gavin O Gorman | 13 Jan 2011 16:44:58 GMT

Contemporary viruses are written to make money. They achieve this through extortion, information theft, and fraud. Threats that use extortion can be some of the most aggressive and, in some cases, offensive viruses encountered. These viruses are generally referred to as ransomware. This blog discusses some of the nastiest variants that have been encountered so far.

In your face!
Whilst by its nature ransomware is not subtle, certain variants are very obvious in their approach. They use a combination of shock and embarrassment in order to extort money from people. The most recent example of this is Trojan.Ransomlock.F. The Trojan.Ransomlock family is a particular type of ransomware, which locks a user’s desktop. Once the desktop has been locked, it is then no longer possible to use the computer as normal. To restore access to the desktop, one typically...

Suyog Sainkar | 05 Jan 2011 16:33:43 GMT

Since the close of 2010, Symantec has been observing a recent spam attack that is designed to distribute malware. On the arrival of the new year, Internet users often send best wishes to their friends and families through email or make use of online greeting card services. The spammers have exploited this likelihood, since the email messages in this spam attack appear to contain Happy New Year wishes in the form of an e-card, but in fact are distributing malicious code.

Below are some sample subject lines observed in this spam attack:

Subject:  New Year Ecard Notification
Subject:  Have a funfilled and blasting NewYear!
Subject:  Welcome 2011!
Subject:  Happy 2011 To U!
Subject:  Sparkling wishes on the New Year
Subject:  Happy New Year Wishes!
Subject:  Have a Happy New Year!
Subject: New Year 2011 Ecard Special Delivery

The message text urges the user to...

Stephen Doherty | 21 Dec 2010 12:46:38 GMT

Following my recent blog on W32.Yimfoca.B, it was clear that W32.Yimfoca also received a facelift (no pun intended). W32.Yimfoca.B spreads through instant messaging applications and once installed will download and install W32.Yimfoca. The latest version of W32.Yimfoca is targeting Facebook users by prompting them to filling out surveys in return for access to their accounts. 

On visiting Facebook, users are prompted with an overlay message, asking them to fill in a survey before gaining access to the site. The message reads:
Complete one of these surveys to gain access this page. Otherwise you will not have access to this page.
khaley | 17 Nov 2010 13:50:44 GMT

My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms. Think of LoveLetter, SQL Slammer, and Melissa all crashing millions of systems within hours of being released into the wild. Those threats seem quite quaint these days as we enter the third significant shift in the threat landscape.

We moved from fame to fortune (which we have dubbed “crimeware”) in the last ten years. Mass mailers were replaced by malware that steals credit card information and sells phony antivirus products. Malware has become a successful criminal business model with billions of dollars in play. The goal became stealth and financial gain at the expense of unsuspecting computer users. And Trojans and toolkits, like Zeus, are the modern tools of the trade.

We have now entered a third stage—one of cyber-espionage and cyber-sabotage. Cyber-espionage did not begin with Stuxnet, and crimeware does not end with it. In...

Eric Chien | 12 Nov 2010 23:36:05 GMT

Thanks to some tips from a Dutch Profibus expert who responded to our call for help, we’ve connected a critical piece of the puzzle.

Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.

However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran.  This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.

The target system would potentially look something like the diagram below:


Jeet Morparia | 28 Oct 2010 09:49:28 GMT

Recently Symantec Security Response analyzed a Trojan that uses social networking vectors to infect users on multiple platforms. Virus writers have often used this technique to entice unsuspecting users to click on a malicious link, which may result in download and execution of threats onto the user’s “PC”(one example being W32.Koobface). I say “PC”because in the computer world, PC is synonymous with Windows computers and they are often the target platform for virus writers for various reasons. But, the popularity of other operating systems, for example Mac OSX, has captured the attention of malware writers. They are constantly trying to expand their scope beyond Windows and maximize their infection base by infecting other popular operating systems.

This particular Trojan (that Symantec detects as...

Hon Lau | 26 Oct 2010 15:56:59 GMT
Things are starting to get a little tougher in the botnet world. This year we have witnessed many shutdowns of major botnets and their owners arrested. We have also seen money mules arrested and - more importantly - arrests for the creators of the Trojan creation kits (Mariposa Butterfly toolkit). Clearly everybody in the botnet food chain is beginning to feel pressure these days and as in any business, tough times often trigger the consolidation of operators in the competitive landscape. According to an interesting report by Brian Krebs a couple of days ago, he noted that the Zeus (Zbot) toolkit creator has left (or perhaps sold) his business and the creators of the SpyEye toolkit have...
Kazumasa Itabashi | 18 Oct 2010 16:17:41 GMT

Trojan.Zbot.B!inf, which was discovered on October 1st, has functionality to update Trojan.Zbot by using Windows Crypto API. Crypto API is a set of functions that uses PKI bundled with Windows and has been used by several malicious programs in the past. This Trojan horse uses Crypto API to create a URL to download files.

The following figure uses RSA as a cryptographic service provider (CSP) to calculate MD5 hash values. The hash values are calculated by using the compromised computer’s time as a base value.

After the created hash value is extracted with the CryptGetHashParam function, it's converted to a ASCII character string and adds that character sting to a top level domain - .biz, .info, .org, .com, .net – to create a DNS name.

The following URLs are an example of the...

Shunichi Imano | 28 Sep 2010 09:19:19 GMT
Over the past weekend, it was reported that a new worm was spreading amongst the Orkut user community. As a result, some of the Scrapbooks in Orkut had a hidden iframe inserted, which points to a malicious JavaScript file. This JavaScript does several things including sending a message “Bom Sabado”, meaning Good Saturday in Portuguese, with a hidden iframe to everyone on the infected user’s list of friends. The infected Orkut user is also made to join fake communities. These actions will surely turn “Bom Sabado” to “Mau Sabado ” (bad Saturday in Portuguese). Symantec Security Response detects this malicious JavaScript file as JS.Woorkut.
At the end of the day, this worm doesn’t do much harm. If the attacker behind this mischief is maliciously motivated, the worm could potentially cause serious damage. We...