Video Screencast Help
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Liam O Murchu | 24 Sep 2010 08:42:33 GMT

Code to exploit the zero-day .lnk file vulnerability (BID 43073) used by Stuxnet was added to the threat around March 2010; we know this because the samples we observed before this date did not contain code to exploit that vulnerability. This leads us to the following question: how did previous Stuxnet variants spread through removable devices?

The answer is that older versions did not use a vulnerability but instead an AutoRun trick to spread. The worm’s trick was to create an autorun.inf file in the root of removable drives that served two different purposes. The specially crafted file could be interpreted as either an executable file or as a correctly formatted autorun.inf file. When Windows parses autorun.inf files the parsing is quite forgiving. Specifically, any characters that...
Nicolas Falliere | 22 Sep 2010 06:58:20 GMT

We first mentioned that W32.Stuxnet targets industrial control systems (ICSs) -- such as those used in pipelines or nuclear power plants -- 2 months ago in our blog here and gave some more technical details here.

While we are going to include all of the technical details in a paper to be released at the Virus Bulletin Conference on September 29th, in recent days there has been significant interest in the process through which Stuxnet is able to infect a system and remain undetected.

Because Stuxnet targets a specific ICS, observing its behavior on a test system can be misleading, as the vast...

Fergal Ladley | 21 Sep 2010 22:30:43 GMT

Back in July we saw the Stuxnet worm targeting industrial control systems. The Stuxnet authors stole the digital signatures of two Taiwanese chip makers and used them on the rootkit employed by the worm. Just how they were getting their hands on the private keys needed to steal the signatures remains a missing piece of the Stuxnet puzzle.

In order to digitally sign a binary you must have a private key. If attackers can gain possession of the key they can steal the key owner’s signature; therefore, the owner of the private key should ensure that it remains private. Somehow, these private keys were stolen and used by the Stuxnet authors to sign the rootkit in order to ensure that it would be loaded by Windows Vista and Windows 7.

Obtaining a private key for a digital certificate may not be as difficult as one imagines. Infostealer.Nimkey is an example of a threat that...

Liam O Murchu | 18 Sep 2010 04:29:21 GMT

We have been made aware of a recent blog posting pointing to the fact that the print spooler vulnerability used by W32.Stuxnet and addressed in the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability was in fact known about since 2009. An article was published in a security magazine that showed how the vulnerability worked in late 2009. We are currently investigating this; however, from our initial review of that article it appears to do exactly what Stuxnet does when exploiting the Print Spooler vulnerability. We will update this article with more information shortly.

Update: We have confirmed with Microsoft that this issue is indeed one that was patched with the release of ...

khaley | 15 Sep 2010 13:29:02 GMT

“It can’t happen to me”

Hunters and gatherers. Most people think of cybercrime against business to be the work of hunters such as cybercriminals who target then infiltrate a company to steal from it. Reading the newspaper, it’s easy to convince yourself that these hunters are after big game and a small business does not have to worry about these targeted attacks. Maybe; however, we’ll talk more about that later. The majority of cybercriminals can best be described as gatherers. They throw wide nets and take advantage of whatever victims land in those nets. Small businesses really must watch out for the gatherers.

Because the barrier of entry is low, there are many gatherers. A gatherer doesn’t have to be a criminal genius. They don’t even need advanced computer skills. They really don’t need to know much at all—except where to buy a toolkit. Toolkits allow criminals with limited skills to get...

Karthik Selvaraj | 13 Sep 2010 10:35:53 GMT

While things had been quiet, we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back, as we've been seeing evidence of their attacks since January, including an attack I’d like to talk about below.

A PDF malware sample exploiting a critical Adobe zero-day vulnerability was reported in the wild a few days ago. In this post we want to provide more information about this in-the-wild malware and the attack rather than the vulnerability itself.

A public report of the PDF malware seen in the wild showed a social engineered email with following properties:

Subject “David Leadbetter’s One Point Lesson”
Sent date: “Monday, September 06, 2010 8:01 AM”
Attachment:  Golf Clinic.pdf (Md5: 9c5cd8f4a5988acae6c2e2dce563446a)

The PDF file attached to the...

Brian Ewell | 09 Sep 2010 22:03:20 GMT

Security Response has confirmed reports of a worm spreading through email under the subject  "Here you have". The mail to the unsuspecting recipient claims to be providing a document available through a URL. The URL is spoofed and actually points to a malicious binary being hosted on a different server.

The email will appear similar to the following:

In this instance, the actual file downloaded would be named ‘PDF_Document21_025542010_pdf.scr’ and is housed on the domain ‘’. This file is a minor variation of W32.Imsolk.A@mm. The main characteristics of the worm’s functionality are as follows:

·         Spread through mapped drives through autorun
·  ...

Piotr Krysiuk | 27 Aug 2010 20:58:11 GMT

In this blog we continue our analysis of the recently discovered Tidserv variant that is capable of infecting 64-bit Windows operating systems. While we gave a quick overview of the threat yesterday, today we’re going to talk more about how Tidserv installs itself on 32- and 64-bit operating systems.

While Backdoor.Tidserv.L arrives as a 32-bit Windows executable, it checks if it's running under a 32- or 64-bit version of Windows and chooses an architecture-specific method of installing itself. If it finds that it’s running on a 32-bit system, it uses the same method as older Tidserv variants to gain necessary privileges—by executing itself in the Print Spooler service. Next, it drops a 32-bit version of the malicious kernel driver and loads it into the Windows kernel. Once the driver is loaded, it infects the Master Boot Record (MBR) with a malicious version.

It then...

Symantec Security Response | 26 Aug 2010 17:29:18 GMT

Backdoor.Tidserv first came to light in back in 2008 as a Trojan that uses an advanced rootkit to hide itself. Since then, Symantec has seen many changes to Tidserv and we have documented a number of the changes in our blog postings. Yesterday, Symantec came across a new sample of Tidserv that we have broken out detection for as Backdoor.Tidserv.L and Boot.Tidserv.

This new variant of Tidserv is of interest for two main reasons. First, we are now seeing Tidserv inject user-mode code into Windows 64-bit driver processes found in the likes of 64-bit Windows versions. Previously, Tidserv targeted only 32-bit operating systems. Although this is not the first virus to inject code into 64-bit processes, it is still a relatively new venture for virus writers. It also demonstrates how the creators of Tidserv are...

Anand A | 18 Aug 2010 22:34:48 GMT

It's fairly well known that different types of malware can "kill" security products in various ways. These kinds of malware are known as retroviruses. In order to step things up a notch, some risks are utilizing legitimate software uninstallers to trick users into uninstalling legitimate security products. A new variant of the Trojan.FakeAV threat has been using this technique to install a newly released clone of the CoreGuard Antivirus security risk, called "AnVi Antivirus". In this case, the Trojan is utilizing this social engineering technique to trick users into uninstalling many well-known security products, including solutions by...