Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Patrick Fitzgerald | 22 Apr 2010 19:19:21 GMT

Our previous blog entries about W32.Qakbot gave details about how the threat works, how it spreads, and its capabilities for stealing information. This entry focuses on the scale and type of data Qakbot has been successful in acquiring.

Stealing data

Qakbot monitors compromised computers for sensitive information and uploads the stolen data to an FTP server. The FTP server information is downloaded from the botnet and can change over time. Here is an example of a recent FTP configuration:

exec=!var ftphost_1=ftp.df[REMOVED]
exec=!var ftphost_2=web1[REMOVED]
exec=!var ftphost_3=ftp.su[REMOVED]
exec=!var ftphost_4=ftp.ab[REMOVED]
exec=!var ftphost_5=ftp.51[REMOVED]
exec=!var ftphost_6=ftp.fan[REMOVED]

While analyzing this threat we gained...

Hon Lau | 22 Apr 2010 17:02:14 GMT

Always ever ready to pounce on any major new events, the creators of rogue antivirus software are quick to seize on the latest major news event to try and push their wares on unsuspecting users. In this case the latest big news event is the false positive relating to McAfee antivirus software.

We have seen poisoned search results since the problem first surfaced. Search terms such as McAfee, 5958, or DAT are returning results that can lead to malicious and fake antivirus scan sites, resulting in the installation of malware. One such site sends the user to qpi72z.xorg.pl that in turn redirects to scanszforvir8.com. There you will find the usual fake online scanner followed by the offer of fake antivirus software (Symantec detects them as Trojan.FakeAV).

 ...

Symantec Security Response | 09 Apr 2010 21:46:07 GMT

We have discovered a threat affecting the Windows Mobile platform that dials several high-cost international phone numbers. The threat is bundled within a .cab installation file that contains a legitimate game called “3D Anti-terrorist action” and a malicious dialer that we call Trojan.Terred.
 

While there is no smoking gun, we don’t believe that the makers of the game are bundling the threat, but rather one of the distributors. The threat itself is a binary created with the .Net Compact Framework and therefore requires this specific framework for it to be installed. The threat will therefore not run on any device that does not have the framework installed; however, the game will install without any problems either way.
 
...

Ashwin Athalye | 09 Apr 2010 07:44:43 GMT

Do you want to earn a few extra bucks by spreading malware? A lot of users have been doing just that, especially when they are welcomed by the profitable malware world to share their revenue! Malware is no longer written for fame and notoriety. It is all about money these days and guess what—it is also covered by a strong business model.

Malware distribution techniques have undergone a major transformation over the years. In the early days, worms self-propagated while exploiting server-side vulnerabilities that would allow propagation without any user interaction—simply requiring the computers to be on and connected to the network. Once the worm infected the computer using the vulnerability, it would scan for other vulnerable computers on the network and the process would start all over again.

Over the years these types of server-side vulnerabilities dried up and the focus quickly turned to client-side attacks and classic social engineering. Most client-...

Patrick Fitzgerald | 31 Mar 2010 19:13:24 GMT

On Monday, March 29, 2010, bkis.com published a blog describing malware that masqueraded as the Adobe Reader update program. This tactic is an attempt to run a malicious payload while avoiding detection. As we looked into this sample (detected as Trojan.Dosvine) in more detail, it became clear that this threat is involved in a DDoS (Distributed Denial of Service) attack on the Vietnamese online community. In a related article, Google reported that “compromised keyboard language software and possibly other legitimate software” is being used to infect Vietnamese Windows computers.

Initial reports on this attack have compared this to the Trojan.Hydraq/Aurora incident from earlier this year. For those not familiar with the Hydraq incident, everything you need to know can be...

Vincent Weafer | 29 Mar 2010 10:03:39 GMT

As we approach April Fool’s Day 2010, we recognize the one-year anniversary of the Downadup/Conficker threat’s April 1, 2009, “trigger” date. A year ago, the security industry monitored Downadup/Conficker activities to be fortified against the criminal or criminals behind the threat’s next move. Fortunately, Conficker did not turn into a widespread threat or cause the significant damage it had the potential to cause.

Earlier in 2009, the Downadup/Conficker threat roamed the “streets” of the Internet looking for “unlocked doors” (unpatched systems) and computers not protected by “alarm systems” (security software). These computers, which numbered in the millions, were prime targets for the threat, which took advantage of a security vulnerability in the Windows operating system, which Microsoft had actually patched a month before the spread of Downadup/Conficker ever began. Once on a machine, the threat...

Karthik Selvaraj | 27 Mar 2010 17:52:53 GMT

Malware authors use numerous unconventional techniques in their attempts to create malicious code that is not detected by antivirus software. As malicious code analysts, though, it is our job to analyze their creations, and as such we have to be constantly vigilant for the latest tricks that the malware authors employ.

While looking at some PDFs yesterday, something suspicious caught my eye. The PDF file format supports compression and encoding of embedded data, and also allows multiple cascading filters to be specified so that multi-level compression and encoding of that data is possible. The PDF stream filters usually look something like this:


 
However, in the particular file being analyzed I spotted the use of no fewer than nine JavaScript compression and encoding filters applied to a single stream, which is an unusually large number:

...

Greg Ahmad | 18 Mar 2010 22:25:25 GMT

Over the past few years, targeted attacks against organizations have become increasingly common and have gained notoriety. One of the most well known of these attacks is the recent compromise of Google, Adobe, and many other companies as part of the Trojan.Hydraq or the “Operation Aurora” incident. This particular attack involved organized and well-resourced cyber criminals who used a zero-day memory-corruption exploit for Microsoft Internet Explorer as an attack vector to deliver a malicious payload, known by the name of Trojan.Hydraq. The attackers behind this operation targeted various organizations and sent messages using the spear phishing technique, which makes email messages look like they come from a trusted source, thereby increasing the chance of victims following links or opening attachments. Once the vulnerability was successfully exploited and the Hydraq malware...

Andrea Lelli | 10 Mar 2010 22:11:15 GMT

Internet Explorer 6 may have taken its path to retirement but it still remains a good target for exploits, as we can see from JS.Sykipot. This zero-day was found on March 8th and it exploits a vulnerability in some Internet Explorer versions (CVE-2010-0806 , BID 38615) that can lead to remote code execution. Upon successful exploitation, JS.Sykipot will download and run Backdoor.Sykipot, which is a back door capable of communicating with its control server to receive and run several commands.

In my tests, the...

Liam O Murchu | 05 Mar 2010 21:00:24 GMT

We recently received a file (from CERT) for analysis. We found that the file was a Trojan that opens a back door on a compromised computer and listens for commands on port 7777. This by itself is not very unusual, but what surprised us was that this file was being distributed by Energizer Inc as part of a USB charger-monitoring software package.

When we checked the manufacturer’s website, the file was still available as part of the USB charger software package. As part of the installation process for the USB charger software, the file “Arucer.dll” is created and added to the registry run key. We discovered that this file is the Trojan and added detection for it as Trojan.Arugizer. Since the file is added to the run key, the Trojan starts every time the computer starts. The Trojan listens for commands from anyone who connects and can perform various actions...