Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Malicious Code
Showing posts in English
Malware Authors Taking Advantage of McAfee False Positive
Hon Lau | 22 Apr 2010 17:02:14 GMT | 0 comments

Always ever ready to pounce on any major new events, the creators of rogue antivirus software are quick to seize on the latest major news event to try and push their wares on unsuspecting users. In this case the latest big news event is the false positive relating to McAfee antivirus software.

We have seen poisoned search results since the problem first surfaced. Search terms such as McAfee, 5958, or DAT are returning results that can lead to malicious and fake antivirus scan sites, resulting in the installation of malware. One such site sends the user to qpi72z.xorg.pl that in turn redirects to scanszforvir8.com. There you will find the usual fake online scanner followed by the offer of fake antivirus software (Symantec detects them as Trojan.FakeAV).

 ...

Read more
Mobile Game Bundled with Malware
Symantec Security Response | 09 Apr 2010 21:46:07 GMT | 0 comments

We have discovered a threat affecting the Windows Mobile platform that dials several high-cost international phone numbers. The threat is bundled within a .cab installation file that contains a legitimate game called “3D Anti-terrorist action” and a malicious dialer that we call Trojan.Terred.
 

While there is no smoking gun, we don’t believe that the makers of the game are bundling the threat, but rather one of the distributors. The threat itself is a binary created with the .Net Compact Framework and therefore requires this specific framework for it to be installed. The threat will therefore not run on any device that does not have the framework installed; however, the game will install without any problems either way.
 
...

Read more
Pay Per Install – The New Malware Distribution Network
Ashwin Athalye | 09 Apr 2010 07:44:43 GMT | 0 comments

Do you want to earn a few extra bucks by spreading malware? A lot of users have been doing just that, especially when they are welcomed by the profitable malware world to share their revenue! Malware is no longer written for fame and notoriety. It is all about money these days and guess what—it is also covered by a strong business model.

Malware distribution techniques have undergone a major transformation over the years. In the early days, worms self-propagated while exploiting server-side vulnerabilities that would allow propagation without any user interaction—simply requiring the computers to be on and connected to the network. Once the worm infected the computer using the vulnerability, it would scan for other vulnerable computers on the network and the process would start all over again.

Over the years these types of server-side vulnerabilities dried up and the focus quickly turned to client-side attacks and classic social engineering. Most client-...

Read more
Vietnamese the Latest Target in a Politically Motivated Attack
Patrick Fitzgerald | 31 Mar 2010 19:13:24 GMT | 0 comments

On Monday, March 29, 2010, bkis.com published a blog describing malware that masqueraded as the Adobe Reader update program. This tactic is an attempt to run a malicious payload while avoiding detection. As we looked into this sample (detected as Trojan.Dosvine) in more detail, it became clear that this threat is involved in a DDoS (Distributed Denial of Service) attack on the Vietnamese online community. In a related article, Google reported that “compromised keyboard language software and possibly other legitimate software” is being used to infect Vietnamese Windows computers.

Initial reports on this attack have compared this to the Trojan.Hydraq/Aurora incident from earlier this year. For those not familiar with the Hydraq incident, everything you need to know can be found in our...

Read more
Downadup/Conficker and April Fool’s Day: One Year Later
Vincent Weafer | 29 Mar 2010 10:03:39 GMT | 0 comments

As we approach April Fool’s Day 2010, we recognize the one-year anniversary of the Downadup/Conficker threat’s April 1, 2009, “trigger” date. A year ago, the security industry monitored Downadup/Conficker activities to be fortified against the criminal or criminals behind the threat’s next move. Fortunately, Conficker did not turn into a widespread threat or cause the significant damage it had the potential to cause.

Earlier in 2009, the Downadup/Conficker threat roamed the “streets” of the Internet looking for “unlocked doors” (unpatched systems) and computers not protected by “alarm systems” (security software). These computers, which numbered in the millions, were prime targets for the threat, which took advantage of a security vulnerability in the Windows operating system, which Microsoft had actually patched a month before the spread of Downadup/Conficker ever began. Once on a machine, the threat...

Read more
Journey to the Center of the PDF Stream
Karthik Selvaraj | 27 Mar 2010 17:52:53 GMT | 0 comments

Malware authors use numerous unconventional techniques in their attempts to create malicious code that is not detected by antivirus software. As malicious code analysts, though, it is our job to analyze their creations, and as such we have to be constantly vigilant for the latest tricks that the malware authors employ.

While looking at some PDFs yesterday, something suspicious caught my eye. The PDF file format supports compression and encoding of embedded data, and also allows multiple cascading filters to be specified so that multi-level compression and encoding of that data is possible. The PDF stream filters usually look something like this:


 
However, in the particular file being analyzed I spotted the use of no fewer than nine JavaScript compression and encoding filters applied to a single stream, which is an unusually large number:

...

Read more
Beyond the Initial Compromise
Greg Ahmad | 18 Mar 2010 22:25:25 GMT | 0 comments

Over the past few years, targeted attacks against organizations have become increasingly common and have gained notoriety. One of the most well known of these attacks is the recent compromise of Google, Adobe, and many other companies as part of the Trojan.Hydraq or the “Operation Aurora” incident. This particular attack involved organized and well-resourced cyber criminals who used a zero-day memory-corruption exploit for Microsoft Internet Explorer as an attack vector to deliver a malicious payload, known by the name of Trojan.Hydraq. The attackers behind this operation targeted various organizations and sent messages using the spear phishing technique, which makes email messages look like they come from a trusted source, thereby increasing the chance of victims following links or opening attachments. Once the vulnerability was successfully exploited and the Hydraq malware...

Read more
Zero-Day Attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software
Andrea Lelli | 10 Mar 2010 22:11:15 GMT | 0 comments

Internet Explorer 6 may have taken its path to retirement but it still remains a good target for exploits, as we can see from JS.Sykipot. This zero-day was found on March 8th and it exploits a vulnerability in some Internet Explorer versions (CVE-2010-0806 , BID 38615) that can lead to remote code execution. Upon successful exploitation, JS.Sykipot will download and run Backdoor.Sykipot, which is a back door capable of communicating with its control server to receive and run several commands.

In my tests, the exploit worked successfully on IE6...

Read more
Back Door Found in Energizer DUO USB Battery Charger Software
Liam O Murchu | 05 Mar 2010 21:00:24 GMT | 0 comments

We recently received a file (from CERT) for analysis. We found that the file was a Trojan that opens a back door on a compromised computer and listens for commands on port 7777. This by itself is not very unusual, but what surprised us was that this file was being distributed by Energizer Inc as part of a USB charger-monitoring software package.

When we checked the manufacturer’s website, the file was still available as part of the USB charger software package. As part of the installation process for the USB charger software, the file “Arucer.dll” is created and added to the registry run key. We discovered that this file is the Trojan and added detection for it as Trojan.Arugizer. Since the file is added to the run key, the Trojan starts every time the computer starts. The Trojan listens for commands from anyone who connects and can perform various actions...

Read more
Viruses and Digital Signatures
Jeet Morparia | 05 Mar 2010 05:40:27 GMT | 0 comments
Recently, Symantec received some malicious files which appeared to be signed by “Adobe Systems Incorporated”. On closer inspection, however, it was seen that the signature was just a ruse used by the malware author to give an air of legitimacy to the files. Virus writers are getting smarter and going that extra mile to digitally sign their files. Using this technique the malware authors could, for example, penetrate an environment where only signed files are allowed but the authenticity of the signature is not checked.
 
Although the files are signed, they are signed using an unauthenticated CA (Certificate Authority) which is masquerading as Verisign. A CA is a trusted third party that issues and signs the certificate and vouches for the authenticity of the file. Each CA should be registered and therefore recognized globally as a trusted signer. The signature on the certificate is verified by the signer’s public key.
...
Read more