Back in July we saw the Stuxnet worm targeting industrial control systems. The Stuxnet authors stole the digital signatures of two Taiwanese chip makers and used them on the rootkit employed by the worm. Just how they were getting their hands on the private keys needed to steal the signatures remains a missing piece of the Stuxnet puzzle.

In order to digitally sign a binary you must have a private key. If attackers can gain possession of the key they can steal the key owner’s signature; therefore, the owner of the private key should ensure that it remains private. Somehow, these private keys were stolen and used by the Stuxnet authors to sign the rootkit in order to ensure that it would be loaded by Windows Vista and Windows 7.

Obtaining a private key for a digital certificate may not be as difficult as one imagines. Infostealer.Nimkey is an example of a threat that...

“It can’t happen to me”

Hunters and gatherers. Most people think of cybercrime against business to be the work of hunters such as cybercriminals who target then infiltrate a company to steal from it. Reading the newspaper, it’s easy to convince yourself that these hunters are after big game and a small business does not have to worry about these targeted attacks. Maybe; however, we’ll talk more about that later. The majority of cybercriminals can best be described as gatherers. They throw wide nets and take advantage of whatever victims land in those nets. Small businesses really must watch out for the gatherers.

Because the barrier of entry is low, there are many gatherers. A gatherer doesn’t have to be a criminal genius. They don’t even need advanced computer skills. They really don’t need to know much at all—except where to buy a toolkit. Toolkits allow criminals with limited skills to get...

Security Response has confirmed reports of a worm spreading through email under the subject  "Here you have". The mail to the unsuspecting recipient claims to be providing a document available through a URL. The URL is spoofed and actually points to a malicious binary being hosted on a different server.

The email will appear similar to the following:

In this instance, the actual file downloaded would be named ‘PDF_Document21_025542010_pdf.scr’ and is housed on the domain ‘members.multimania.co.uk’. This file is a minor variation of W32.Imsolk.A@mm. The main characteristics of the worm’s functionality are as follows:

·         Spread through mapped drives through autorun
·  ...

Backdoor.Tidserv first came to light in back in 2008 as a Trojan that uses an advanced rootkit to hide itself. Since then, Symantec has seen many changes to Tidserv and we have documented a number of the changes in our blog postings. Yesterday, Symantec came across a new sample of Tidserv that we have broken out detection for as Backdoor.Tidserv.L and Boot.Tidserv.

This new variant of Tidserv is of interest for two main reasons. First, we are now seeing Tidserv inject user-mode code into Windows 64-bit driver processes found in the likes of 64-bit Windows versions. Previously, Tidserv targeted only 32-bit operating systems. Although this is not the first virus to inject code into 64-bit processes, it is still a relatively new venture for virus writers. It also demonstrates how the creators of Tidserv are...