Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

Security Response

Showing posts tagged with Malicious Code remove filter
Showing posts in English remove filter
A Reminder about Rootkits
John H | 18 Jan 2012 | 0 comments

 

Rootkit stories show up in the mainstream media on a regular basis these days. While these stories raise public awareness about what the bad guys are doing, they usually leave readers wondering what they can do to protect themselves from silent threats infecting their computers at home and in the office. 
Broadly defined, a rootkit is any software that acquires and maintains privileged access to the operating system (OS) while hiding its presence by subverting normal OS behavior. A rootkit typically has three goals: 
 
  1. A rootkit wants to be able to run without restriction on a target computer. 
  2. It wants to elude being detected by the computer or an installed security product. 
  3. It wants to deliver its payload, such as stealing passwords or network bandwidth, or installing other malicious software.
 
So what can you do (other than re-build your computer...
Read more
Korean Office Software Exploited
Symantec Security Response | 06 Nov 2011 | 0 comments

In late September 2011, it was reported that a previously unknown and un-patched vulnerability in Hancom Office (a word processing software predominantly used in Korea) was exploited in the wild. We often hear of new exploits targeting software used worldwide and while these incidents tend to grab all the attention, we also encounter instances of regional software, which often have a limited user base becoming an exploit target. One example of a similar regional software that was also exploited in malware attacks is Ichitaro - a word processing software mostly used in government organizations and their associates in Japan. 

In this case, we managed to track down a couple of malware samples that exploited the reported vulnerability in the Hancom products. The samples are in document files (file extension .hwp) and an exploit attempt is made when the document is opened on a machine installed with vulnerable...
Read more
Duqu: Status Updates Including Installer with Zero-Day Exploit Found
Vikram Thakur | 01 Nov 2011 | 0 comments

The group that initially discovered the original Duqu binaries, CrySyS, has since located an installer for the Duqu threat. Thus far, no-one had been able to recover the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems. Fortunately, an installer has recently been recovered due to the great work done by the team at CrySyS.

The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they're working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries. The chart below explains how the exploit in the Word document file eventually leads to the installation of Duqu.

 

...

Read more
The True Face of Urchin
Karthikeyan Kasiviswanathan | 26 Oct 2011 | 0 comments

In recent days, we have seen blogs about a specific type of Mass Injection campaign. We take this opportunity to publish our findings in this blog.

This particular campaign has already picked up pace and it is infecting a lot of innocent users out there. It all starts with a script that is injected into certain sites. The script itself points to one particular site: “http://[REMOVED]/urchin.js”. Throughout this blog, we will see the different exploits that this particular campaign uses in order to install malicious files on to a compromised computer.

Upon visiting a site with the injected script, the user is redirected to a malicious site. A subsequent redirection takes the user to a site that contains an obfuscated script. When the script is decoded, it reveals an embedded iFrame tag. Below is an example of the de-obfuscated iFrame tag embedded in the site.

...

Read more
Duqu: Updated Targeting Information
Eric Chien | 21 Oct 2011 | 0 comments

I wrote Symantec's original blog post describing the discovery of Duqu. In that blog I use the term "industrial control system manufacturers" and (after discussions with a variety of parties) we want to change that term to "industrial industry manufacturers" to more accurately define where Duqu has been found. We already made this change to our paper.

Finding the correct term can sometimes be a challenge. When we first wrote about Stuxnet, we originally used the term SCADA (supervisory control and data acquisition) and quickly discovered the proper term was "industrial control systems". In the computer security industry, we actually have specific definitions of viruses, worms, and trojans, while the general public often refer to any malware as just a virus. (In an unrelated...

Read more
Duqu Status Update #1
Symantec Security Response | 21 Oct 2011 | 0 comments

As mentioned in our previous blog, W32.Duqu was first brought to our attention by a research lab who had been investigating a targeted attack on another organization. This research was conducted by the Laboratory of Cryptography and System Security (CrySyS) in the Department of Telecommunications, Budapest University of Technology and Economics. CrySyS identified the infection and observed its similarity to W32.Stuxnet. They stated that no data was leaked as part of this attack.

We are grateful to CrySyS—sharing their findings allowed us to identify further attacks taking place. We have now determined that the originally targeted organization was one of a limited number of targets which include those in the industrial infrastructure industry. CrySyS has issued a statement regarding their analysis here: http://www.crysys.hu/.

The latest version of our...

Read more
W32.Duqu: The Precursor to the Next Stuxnet
Symantec Security Response | 18 Oct 2011 | 0 comments

On October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat "Duqu" [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided us with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet, which we were able to confirm. Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the...

Read more
Blackhole Exploit Targeting Steve’s Death
Samir Patil | 07 Oct 2011 | 0 comments

Contributor: Anand Muralidharan

The sad news making the rounds these days is the death of Steve Jobs, Apple Co-founder and former CEO. His death has been a terrible loss to both Apple and Apple fans everywhere.

Spammers are capitalizing on this incident by sending malicious links related to the news of Steve Jobs’ death. Below is a screenshot of one such spam email containing a malicious link:

More malicious links found relating to death spam are:

http://[removed]com/pink.html
http://720[removed].info/habit.html
http://ebuy[removed].com/kids.html
http://[removed].com/grain.html

All these websites contain obfuscated code leading to a BlackHole exploit. Most of the domains are recently registered, however a few of the older domains look quite legitimate and seem to be hijacked.

Below are the Subject lines which have been...

Read more
Downloader.Chepvil and the Malicious Feedback Loop!
Stephen Doherty | 05 Oct 2011 | 0 comments

Technical analysis: Poul Jensen, Illustrations: Ben Nahorney

Meet Downloader.Chepvil, a malware that has been creating quite a lot of noise recently, hitting inboxes far and wide. This threat begins life as an innocent-looking email and quickly transforms itself into a powerful blended threat capable of stealing information, installing misleading applications, and mailing additional copies of itself from newly compromised computers.

To begin with, let’s take a look at the initial email. It usually follows a predictable format – an enticing message encouraging the victim to open the email attachment.

The content of the email will change frequently; but as an example, a recent set of emails contained the following message:

Dear customer.

...
Read more
.HLPing Targeted Attacks
Joji Hamada | 13 Sep 2011 | 0 comments

Thanks to Takayoshi Nakayama for his research and contributions to this blog.

Targeted attacks have been a pretty popular topic of discussion in the security industry in recent years. Many may recall the incident involving Hydraq—from January 2010—and Shady RAT was something discussed more recently.

Most targeted attacks involve emails with malware attachments as the trigger point of the attack. Once a computer is infected with the malware, an attacker can compromise not only the computer, but can also work to expose the infrastructure of the targeted organization and the sensitive data it possesses.

In the early stages of the targeted attacks involving emails that I started seeing around 2005, attachments included files such as Word documents, Excel spreadsheets, PowerPoint...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
269,999