Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Malicious Code
Showing posts in English
We Could Almost See it Coming
Peter Ferrie | 02 Aug 2006 07:00:00 GMT | 0 comments

On July 2nd, 2006 a virus author released the first virus that infects IDC files (W32.Gatt), claiming that it would be very hard for antivirus researchers to detect and that the source code would be made public at the end of the month. Media reports at the time speculated that the virus release was intended to embarrass virus researchers because it targeted some software tools that we use to analyze malicious code. However, on July 3rd we released antivirus detection for the virus. On July 4th, the virus author withdrew the claim that the source code would be released. Coincidence? I don't think so.

Symantec’s Security Response team is just that: a response team. We responded quickly when this virus appeared and we were able to provide antivirus detections in short order. It was more than likely that the virus author had originally intended to post the...

Read more
BHO and XPCOM: Extensions Gone Wild
Candid Wueest | 26 Jul 2006 07:00:00 GMT | 0 comments

Mozilla’s Firefox browser is quite popular and it is often recommended when it comes to the question: What is a safe browser alternative? Unfortunately, this does not necessarily mean that you are not susceptible to browser attacks.

Microsoft Internet Explorer is often hijacked by malware that drops browser helper objects (BHO), which will then be loaded every time the user starts Microsoft Internet Explorer. The BHOs can then manipulate data that is sent to the Internet and (for example) steal passwords or monitor user habits. With the Cross Platform Component Object Model (XPCOM), something similar to a BHO exists on the Mozilla side. It is a framework for developers to create modules that access features of the Gecko engine. For example, Firefox extensions are written with XPCOM and can therefore integrate seamlessly into Firefox.

Of course, it shouldn’t be a big surprise that this technique can also be used with malicious intent. Unwanted...

Read more
There They Go Again - Backdoor.Haxdoor.O
Symantec Security Response | 24 Jul 2006 07:00:00 GMT | 0 comments

Email is a great way to communicate with a wide audience, and the bad guys know it. We have seen yet another case of spam email that contains malicious code as an attachment. The attachment is a ZIP file (WC2905036.zip -> WC2905036.exe) that contains a Trojan horse program that will create a backdoor on a user's system when executed. This threat is detected as Backdoor.Haxdoor.O. Some variants may be detected as Backdoor.Haxdoor.I.

This Trojan attempts several things: downloads and executes files, logs keystrokes, listens on TCP ports, etc. We have only seen a few minor variants thus far, but one thing to be aware of is that the spam email purports to be from an online retailer that is asking the user to review an attached...

Read more
Threats from a Trusted Site
Kaoru Hayashi | 20 Jul 2006 07:00:00 GMT | 0 comments

The number of reports of “Downloader” has been increasing in recent years. Downloader is a small program that downloads another malware or security risk from the Internet. In order to protect your computer from these Downloader programs, we recommend using an updated antivirus product, controlling Internet access for each desktop program, and filtering entrusted domains (by URL or IP address) with a firewall. However, when users or network administrators need to determine which Internet resources are trusted or not, it can become difficult.

In many cases, Downloader will attempt to download other programs from a cheaply run (or even free) Web hosting service. Since domain registration is fairly simple to do and not that expensive, attackers will try to create an attractive Web site using their own domain name in order to gain the trust of visitors...

Read more
MySpace Shockwave Flash Hack
Eric Chien | 18 Jul 2006 07:00:00 GMT | 0 comments

The recent Yahoo! Mail worm, JS.Yamanner@m , is symptomatic of our increased usage and reliance on Web applications. This past weekend we saw a similar attack, but this time it was on the MySpace social networking site. Web applications are just as vulnerable to certain exploits, and even more so in some cases. In particular, services that allow people to author and post content under the service domain must always neuter any active content such as Javascript. MySpace fails to do so, allowing an attacker to automatically hijack any user's MySpace page as soon as they visit an infected MySpace page.

The attack works by using an embedded Shockwave Flash file. The MySpace site allows members to post embedded content, such as movies and Shockwave Flash files, via an HTML “embed” tag. Shockwave Flash files can contain scripting that is simply a variant of JavaScript (...

Read more
Phishing in Sessions
Candid Wueest | 11 Jul 2006 07:00:00 GMT | 0 comments

Phishing attacks evolved from simple email attacks quite a long time ago. These days, we still see many attacks with obfuscated links and spoofed Web sites, but the emerging threat is in phishing malware. Even in the malware domain we have seen further developments, from basic key logging to session modification Trojans. The attacks are becoming more sophisticated in order to circumvent the current prevention methods.

Take, for example, the Trojan.Satiloler family. This threat monitors traffic that is sent and received by a Web browser. It can inject script code into received Web pages before they are passed to the user’s browser. If the Trojan finds a predefined online banking Web site, it replaces all of the Web form submit functions with its own functions. This enables the Trojan to control the information flow on that particular site without the user noticing. If a...

Read more
A Week of Firsts (and Seconds)
Peter Ferrie | 30 Jun 2006 07:00:00 GMT | 0 comments

Things have been pretty interesting here lately. The first virus for Sun Microsystems’ StarOffice appeared, although it wasn't a real virus because it didn't actually work. We also received reports of the first parasitic virus for the .chm (compiled HTML help file) file format, and reports of the first virus that is an IDA plug-in. I say "reports" because we have been told these two viruses exist but we have not received any samples to prove it.

The StarOffice virus just goes to show that virus writers don't test their code. Despite four attempts (represented by the samples that we received; who knows how many others we didn't receive) the virus author still couldn’t seem to work out why his code wasn’t infecting anything. However, hot on the heels of these initial samples was the...

Read more
Raising the Bar: Rustock.A and Advances in Rootkits
Elia Florio | 29 Jun 2006 07:00:00 GMT | 0 comments

The never-ending game of hide-and-seek between the antivirus industry and rootkits has begun a new chapter. Recently our lab discovered a new rootkit sample in the wild that is very unique given the techniques it uses. It was named Backdoor.Rustock.A, and because of its special characteristics it can be considered the first born of the next generation of rootkits. Rustock.A consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used (such as RootkitRevealer, BlackLight and IceSword). We consider it to be an advanced example of "stealth by design" malicious code. [1]

So, why is Rustock.A so special? Many rootkit detectors use a cross-view based detection algorithm. This means that they detect hidden objects by finding the discrepancies between a high-level view and a low-level view. For example, a simple rootkit detector can enumerate the...

Read more
New Yahoo! Mail Worm
Symantec Security Response | 11 Jun 2006 07:00:00 GMT | 0 comments

Webmail providers, such as Yahoo! Mail and Hotmail, are possible vectors of infection from mass-mailing email worms. As is the risk with Microsoft Outlook and other common email programs, if you download and execute programs from an email client you run the risk of executing malicious code. If there is a vulnerability in your email client, malicious code can even execute automatically. Webmail programs are similar to other email clients that are installed locally and are equally affected by vulnerabilities. For example, a variety of Outlook issues have been discovered in the past where attachments were automatically executed simply because a user previewed an item of email. Webmail programs are not immune from this type of vulnerability.

A new Yahoo! Mail worm, JS.Yamanner@m , is making the rounds by utilizing a vulnerability affecting webmail. Yahoo!...

Read more
DDoS U Like it’s 1998
Dave Cole | 09 May 2006 07:00:00 GMT | 0 comments

Back in the wild and wooly pre-bust days of ’98, distributed denial of service attacks (DDoS) knocked the froth off of some very high profile Web sites. Backed by malcode like Trin00 and Stacheldracht, the attacks made headlines everywhere, as online businesses that were the frontrunners of the emerging Internet economy were unexpectedly closed for business while they did battle with the legions of zombie computers slinging packets at them and tying up their systems.

So here we are, approximately eight years later. Trin00 and Stacheldracht have been replaced by much more powerful, multi-purpose successors like Spybot and Gaobot. And the attacks keep coming. The latest Symantec Internet Security Threat Report (March 2006) showed a 51% increase in denial of service attacks. The previous period (January 2005 to June 2005) was characterized by a gaudy 680% growth, as attacks surged from 119 per day to 927 per day. The number for the second half of 2005 now...

Read more