Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Jeet Morparia | 05 Mar 2010 05:40:27 GMT
Recently, Symantec received some malicious files which appeared to be signed by “Adobe Systems Incorporated”. On closer inspection, however, it was seen that the signature was just a ruse used by the malware author to give an air of legitimacy to the files. Virus writers are getting smarter and going that extra mile to digitally sign their files. Using this technique the malware authors could, for example, penetrate an environment where only signed files are allowed but the authenticity of the signature is not checked.
Although the files are signed, they are signed using an unauthenticated CA (Certificate Authority) which is masquerading as Verisign. A CA is a trusted third party that issues and signs the certificate and vouches for the authenticity of the file. Each CA should be registered and therefore recognized globally as a trusted signer. The signature on the certificate is verified by the signer’s public key.
Vikram Thakur | 02 Mar 2010 23:52:16 GMT

In October 2009 we started tracking the Mariposa, or Butterfly, botnet. At that time, a security company had reported that a large number of Fortune 100 companies had been infected with this threat. Earlier today, news came out that the same firm had worked with the appropriate authorities in arresting alleged key members of the Mariposa botnet.

Back in October 2009 we also blogged about this bot's capabilities, in a brief post called The Mariposa Butterfly. Later that month we were able to get our hands on a toolkit being sold in underground forums that clearly demonstrated the bot's capabilities. More information about that is...

Vivian Ho | 01 Mar 2010 19:33:12 GMT

The biggest news flashes for the last 48 hours involve reports of the devastating earthquake that struck near the coast of Chile, along with the tsunami threat to the Pacific region. As the extent of the damage due to the disaster remains unclear, people are eager to seek more information about the quake from any means possible.

Symantec has observed spammers trying to capitalize on the disaster headlines by sending out virus attacks less than a day after the quake. Below is a sample message:


From: <<removed>
Subject: Terremoto no Chile


Subject: Earthquake in Chile

In this message, spammers are using earthquake-related subject lines to lure recipients to open the email, which includes snippets of earthquake news in the body of the message. An image of a collapsed building, purportedly a still image from a video embedded in the email,...

Vivian Ho | 26 Feb 2010 00:04:00 GMT

How many social network accounts do you have? How much time do you spend on your network content and application updates? How many discussion boards or blogs or pictures or games do you need to maintain in each network service?

Besides email and instant messenger programs, social network services have become important media for people to maintain their relationships or business exposure. There are, of course, myriad risks associated with exposing your personal details online when you are not aware of setting proper privacy rules, such as those suggested by the social network services.

Spammers have yet another channel available to send their “love” to you.

Have you had the pleasure of your newly registered social network account sending you tons of friendship invitations on a daily basis? Or, in addition, that same account sends out numerous friendship invitations to your contacts without your consent? Or, have you started receiving lots of junk...

Hon Lau | 19 Feb 2010 21:51:59 GMT

I saw something quite funny when checking out the spam feeds the other day. An attachment kept appearing, once in a while, with a name of Christmas It was making sporadic appearances in the feeds (and the number of spam email messages was quite low), but there were a couple of these odd messages at equally odd hours of the day:


The email message itself was a run-of-the-mill electronic greeting card with an HTML body containing a nice Flash animation—the Flash animation actually comes from a legitimate source ( The email body contains a message asking the user to open the attachment to see who sent the email. Of course, opening the attachment yields a malicious file. The name of the file inside is Christmas Card.htm[MANY SPACES].exe and it is already detected by Symantec as W32.Ackantta.G@...

Gerry Egan | 19 Feb 2010 19:01:38 GMT

We recently upgraded our scanner on Virus Total to include our new reputation-based security engine. That has caused a spike in our detection rates, in particular Suspicious.Insight detections, and so I thought I’d take a few minutes to explain some of the background and what is going on.

So what exactly is a Suspicious.Insight detection? These detections are derived from Symantec’s new reputation-based security technology. They highlight files that have not yet developed a strong reputation (either good or bad) amongst Symantec’s community of users. Our goal is to keep our users’ machines safe, and part of achieving that goal means helping our users make informed choices about the files they allow on to their systems. Suspicious.Insight detections help shine a...

khaley | 18 Feb 2010 20:57:54 GMT

Recently, Symantec observed some high-profile coverage of a threat being reported as a new type of computer virus known as “Kneber.” In reality Kneber is simply a pseudonym for the Zeus Trojan/botnet. The name Kneber refers to a particular group, or herd, of zombie computers (a.k.a. bots) being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot that also goes by the name Zeus, which has been observed, analyzed, and protected against for some time now.
Since Zeus/Zbot toolkits are widely available on the underground economy, it is not uncommon for attackers to create new strains, such as Kneber, of the overall Zeus botnet. Though it is true that this Kneber strain of the overall Zeus botnet is fairly large, it does not involve any new malicious threats. Thus, Symantec customers with up-to-date security software should already be...

Hon Lau | 17 Feb 2010 20:28:00 GMT

Since as far back as I can remember there has always been talk of rivalry and wars between various malware creators. The testosterone-fuelled battles may have even been encouraged by the media running stories of how such-and-such botnet “has X million nodes,” egging the botnet herders to try and outwit and outgrow each other in a competition to grab market share.
Take, for example, the Zeus botnet (Trojan.Zbot). This has been around for some time and has now developed into a mature piece of malware that is widely sold and used by wannabe eCriminals to steal information from hapless victims throughout the Internet. The ease of use afforded by the Zeus Trojan builder has helped it achieve its notorious status as one of the most widely seen bots in the world.
As with the gold rush in the previous centuries, some people learned that it was...

Mircea Ciubotariu | 13 Feb 2010 01:17:40 GMT

In the past, viruses and computer threats were created simply for the sake of it. Sometimes these threats would wipe your hard drive clean—just to let you know you’d been owned. This is not the case anymore; nowadays most of the threats we see are profit-oriented and try to keep a very low profile so that they aren't easily detectable by security software.

Backdoor.Tidserv does a very good job in that sense, especially with the latest version (TDL3), which uses an advanced rootkit technology to hide its presence on a system by infecting one of the low-level kernel drivers and then covering its tracks. While the rootkit is active there is no easy way to detect the infection, and because it goes so deep into the kernel, most users cannot see anything wrong in the system.

Most of the time the driver chosen by Tidserv to be infected is “atapi.sys,” but...

Peter Coogan | 04 Feb 2010 18:36:42 GMT

The Zeus crimeware toolkit has been around now for a while and has grown over time to be the most established crimeware toolkit in the underground economy. In late December 2009 a new crimeware toolkit emanating from Russia—known as SpyEye V1.0—started to appear for sale on Russian underground forums. Retailing at $500, it is looking to take a chunk of the Zeus crimeware toolkit market. Symantec detects this threat as Trojan.Spyeye. Since it is relatively new, we are not seeing a lot of SpyEye activity yet. However, given some time and the observed rate of development for this crimeware toolkit, SpyEye could be a future contender for king of the crimeware toolkits.

SpyEyeLogo.JPG   ...