Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Malicious Code
Showing posts in English
New Internet Explorer 8 Zero-Day Used in Watering Hole Attack
Symantec Security Response | 10 May 2013 20:08:22 GMT | 0 comments

Microsoft has issued Security Advisory 2847140 in response to reports regarding public exploitation of a vulnerability affecting Internet Explorer 8. Other versions such as Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet Explorer 10 are not affected. Initial reports indicate that a website associated with a department of the US government was compromised to host the exploit in what’s known as a watering hole attack. Upon visiting the site a vulnerable victim would have been redirected to download a back door as the payload.  Symantec products detect the exploit code on the vulnerable site as Trojan.Malscript, Bloodhound.Exploit.494, or...

Read more
New Internet Explorer Zero-Day Used In Watering Hole Attack
Symantec Security Response | 30 Dec 2012 00:27:55 GMT | 0 comments

 

We have received multiple reports of a new Internet Explorer zero-day vulnerability being exploited in the wild. Initial reports indicate that the website used in these attacks belong to a U.S. based think-tank organization. The site was believed to be compromised and used to serve up the zero day exploit as part of a watering hole style attacks as far back as December 21st.
 
A flash file named today.swf was used to trigger the vulnerability in Internet Explorer. The flash file is detected as Trojan.Swifi and protection has been in place for our customers since December 21st. Further details and analysis will be provided soon.
 
We have carried out in-depth research into watering hole style attacks dating back to 2009. That research and analysis is contained in a paper named...
Read more
The Elderwood Project
Symantec Security Response | 06 Sep 2012 23:00:00 GMT | 0 comments

In 2009, we saw the start of high profile attacks by a group using the Hydraq (Aurora) Trojan horse. We've been monitoring the attacking group's activities for the last three years as they've consistently targeted a number of industries. These attackers have used a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs. These attackers are systematic and re-use components of an infrastructure we have termed the "Elderwood Platform". The term "Elderwood" comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy zero-day exploits. The attacking methodology has always used spear phishing emails but we are now seeing an increased adoption of "watering hole" attacks (...

Read more
The Elderwood Project (Infographic)
Symantec Security Response | 06 Sep 2012 23:00:00 GMT | 0 comments

Symantec Security Response have published a research paper revealing details about a series of attacks perpetrated by a highly organized and well funded group using the “Elderwood” Attack Platform. This platform is a series of tools and infrastructure used by this group to perform attacks against targets in a speedy and efficient manner. The group behind this platform used it to carry out a multitude of attacks against targets primarily in the defense industry and other organizations within its supply chain. This group demonstrates a dogged persistence and tenacity, along with a high degree of technical expertise as shown by the seemingly unlimited supply of zero-day exploits that they have employed in the past. This research examines a time window of at least three years in which numerous attacks were conducted and still continues to take place to this day. The paper covers the attack methods used, the possible motives, the scale of the attacks and what to do to stay...

Read more
A Reminder about Rootkits
John H | 18 Jan 2012 17:47:22 GMT | 0 comments

 

Rootkit stories show up in the mainstream media on a regular basis these days. While these stories raise public awareness about what the bad guys are doing, they usually leave readers wondering what they can do to protect themselves from silent threats infecting their computers at home and in the office. 
Broadly defined, a rootkit is any software that acquires and maintains privileged access to the operating system (OS) while hiding its presence by subverting normal OS behavior. A rootkit typically has three goals: 
 
  1. A rootkit wants to be able to run without restriction on a target computer. 
  2. It wants to elude being detected by the computer or an installed security product. 
  3. It wants to deliver its payload, such as stealing passwords or network bandwidth, or installing other malicious software.
 
So what can you do (other than re-build your computer...
Read more
Korean Office Software Exploited
Symantec Security Response | 06 Nov 2011 14:57:38 GMT | 0 comments

In late September 2011, it was reported that a previously unknown and un-patched vulnerability in Hancom Office (a word processing software predominantly used in Korea) was exploited in the wild. We often hear of new exploits targeting software used worldwide and while these incidents tend to grab all the attention, we also encounter instances of regional software, which often have a limited user base becoming an exploit target. One example of a similar regional software that was also exploited in malware attacks is Ichitaro - a word processing software mostly used in government organizations and their associates in Japan. 

In this case, we managed to track down a couple of malware samples that exploited the reported vulnerability in the Hancom products. The samples are in document files (file extension .hwp) and an exploit attempt is made when the document is opened on a machine installed with vulnerable...
Read more
Duqu: Status Updates Including Installer with Zero-Day Exploit Found
Vikram Thakur | 01 Nov 2011 17:03:57 GMT | 0 comments

The group that initially discovered the original Duqu binaries, CrySyS, has since located an installer for the Duqu threat. Thus far, no-one had been able to recover the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems. Fortunately, an installer has recently been recovered due to the great work done by the team at CrySyS.

The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they're working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries. The chart below explains how the exploit in the Word document file eventually leads to the installation of Duqu.

 

...

Read more
The True Face of Urchin
Karthikeyan Kasiviswanathan | 26 Oct 2011 18:01:04 GMT | 0 comments

In recent days, we have seen blogs about a specific type of Mass Injection campaign. We take this opportunity to publish our findings in this blog.

This particular campaign has already picked up pace and it is infecting a lot of innocent users out there. It all starts with a script that is injected into certain sites. The script itself points to one particular site: “http://[REMOVED]/urchin.js”. Throughout this blog, we will see the different exploits that this particular campaign uses in order to install malicious files on to a compromised computer.

Upon visiting a site with the injected script, the user is redirected to a malicious site. A subsequent redirection takes the user to a site that contains an obfuscated script. When the script is decoded, it reveals an embedded iFrame tag. Below is an example of the de-obfuscated iFrame tag embedded in the site.

...

Read more
Duqu: Updated Targeting Information
Eric Chien | 21 Oct 2011 23:00:30 GMT | 0 comments

I wrote Symantec's original blog post describing the discovery of Duqu. In that blog I use the term "industrial control system manufacturers" and (after discussions with a variety of parties) we want to change that term to "industrial industry manufacturers" to more accurately define where Duqu has been found. We already made this change to our paper.

Finding the correct term can sometimes be a challenge. When we first wrote about Stuxnet, we originally used the term SCADA (supervisory control and data acquisition) and quickly discovered the proper term was "industrial control systems". In the computer security industry, we actually have specific definitions of viruses, worms, and trojans, while the general public often refer to any malware as just a virus. (In an unrelated...

Read more
Duqu Status Update #1
Symantec Security Response | 21 Oct 2011 16:56:58 GMT | 0 comments

As mentioned in our previous blog, W32.Duqu was first brought to our attention by a research lab who had been investigating a targeted attack on another organization. This research was conducted by the Laboratory of Cryptography and System Security (CrySyS) in the Department of Telecommunications, Budapest University of Technology and Economics. CrySyS identified the infection and observed its similarity to W32.Stuxnet. They stated that no data was leaked as part of this attack.

We are grateful to CrySyS—sharing their findings allowed us to identify further attacks taking place. We have now determined that the originally targeted organization was one of a limited number of targets which include those in the industrial infrastructure industry. CrySyS has issued a statement regarding their analysis here: http://www.crysys.hu/.

The latest version of our...

Read more