Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
John McDonald | 01 Oct 2009 14:12:07 GMT

There has been a flurry of news articles over the past few days on what the media appears to have labeled the Mariposa botnet, after the name a Canadian information security firm used for this particular threat. The ‘butterfly’ in the title of this article refers to the fact that the threat is believed to stem from the Butterfly bot kit, which is no longer for sale.

Several security vendors have commented that this threat isn't new, and indeed Symantec has been detecting variants of it since as early as January this year. We currently have various detection names for these samples, the majority of which are one variant or another of W32.SillyFDC, Trojan Horse or more recently Packed....

Piotr Krysiuk | 30 Sep 2009 20:42:22 GMT

It is not very common for a file infector to do more than simply introduce trivial modifications to the files it infects. Virus authors usually avoid complex modifications to the files because of the possibility of corruption. W32.Xpaj.B is one of exceptions.

W32.Xpaj.B is an entry-point obscuring, polymorphic file infector. The virus is not completely new and shares some of its characteristics with its predecessor, W32.Xpaj, first seen in June 2008. What sets this creature apart is the amount of effort its authors have invested into hiding their malicious code in the files it infects.

W32.XPaj.B is more sophisticated than your average file infector. To make finding its malicious code difficult, the virus avoids putting any obvious signs in the infected files. Unlike most simple viruses, it doesn’t attempt to execute the virus code by hijacking control when the infected file is started. Instead, the virus overwrites some subroutines from the infected files with...

Hon Lau | 30 Sep 2009 12:07:33 GMT

An unfortunate side effect of any news-worthy disasters of the modern day is that a wave of malware will often follow in the virtual world after the initial event in the physical world. The large earthquake (8.3 on the Richter scale) last night recorded off the coast of Western Samoa and the subsequent tsunami that followed caused much destruction and loss of life to the islands near the epicentre of the quake. As with any large scale disasters that quickly become major news events, people want to know what happened and to know that loved ones are safe. The Web, being a major source of information to many people around the world, is one of the first places to see such information-seeking activity. For many people, search engines are the gateway to the masses of information available and because of this, it is also one of the first places to be targeted by malware creators. They waste no time in getting their malicious software and web sites set up and poisoning the Web...

Patrick Fitzgerald | 25 Sep 2009 16:45:01 GMT

It’s well known that malware is growing more sophisticated, but few threats have had us scratching our heads like Trojan.Clampi. In order to remove the mystery around this threat, Security Response will be publishing a series of blogs talking about various aspects of Clampi. As an introduction, we’d like to present a brief overview of the threat.

Trojan.Clampi has been around for a number of years now. During this time it has gone through many iterations, changing its code with a view to avoid detection and also to make it difficult for researchers to analyze.

From our analysis it seems that Clampi has mainly affected machines in the US. Clampi infection rates seem to be skewed towards countries where English is the primary language.  This may indicate the first infections were as a result of malicious drive-by attacks on...

Gerry Egan | 22 Sep 2009 19:04:27 GMT

Have you ever noticed how movies tend to come in waves? A few years ago it seemed like every action movie had a space theme; then the following year the big new movies featured some kind of natural disaster. This past summer it seemed like every other movie was in 3-D. Technology, as we all know, has waves too, and the security industry is no different. For example, recently there has been a lot of talk about reputation-based security and suddenly it seems like every vendor is claiming to have some type of reputation technology. But, not all technologies are created equal, so I thought I’d take a few minutes to look at what makes Symantec’s reputation-based technology so very different.

Why is a new approach needed?

Two fairly recent trends have had a negative impact on the effectiveness of traditional approaches to security. First, many of today’s threats are highly polymorphic—they are able to easily hide because nearly every instance of...

Hon Lau | 15 Sep 2009 21:02:39 GMT

Yes folks, the Bredolab crew is at it once again. Today we saw a moderate wave of spam email, numbering a few thousand per hour. Not to be drawn to the depth of exploiting the death of Patrick Swayze to deliver their malware, the Bredolab gang is still adapting old reliable—spam email messages with promises of undelivered parcels and cash for collection. Depending on whether the delivery is for cash or for a parcel you will get a slightly different message, although the attachment names are much the same as one another, following a distinct pattern.

For parcel deliveries you might see something like the following example:

Dear customer!
Unfortunately we were not able to deliver the postal package sent on the 24th of June in time
because the recipients address is inexact.
Please print...

Hon Lau | 14 Sep 2009 14:41:55 GMT

Tennis is a huge sport worldwide and yesterday was the women's semi final of the US Open in which Serena Williams lost out to her rival due to a foot fault. To cut to the chase, Ms Williams went on to deliver a verbal volley against the line judge, something about shoving tennis balls … somewhere. The exchange was caught on live video footage and many copies are currently doing the rounds on the Internet. The interest that this incident has stirred, provided the spark needed to ignite yet another SEO campaign to spread malware. In the case of this incident, the malware is encountered when you search for terms such as  "Serena Williams Outburst".

Search results

One of the sites returned from the search goes to a domain named This looks like another case of hacked web site used to host fake AV scanners leading to new variants of misleading...

Gavin O Gorman | 11 Sep 2009 15:02:50 GMT

Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. Recent developments have included the utilization of Web 2.0 social networking websites to deliver commands. By integrating C&C messages into valid communications, it becomes increasingly difficult to identify and shut down such sources. It's a concept very similar to that of chaffing and winnowing. Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec...

Takashi Katsuki | 08 Sep 2009 13:12:49 GMT

Because PDF-related threats are on the increase in the wild, my colleagues and I have been focusing on the investigation into new ways to stop these threats. The majority of PDF-related exploits can be categorized into two areas.

The first method involves camouflaging the PDF file structure, and the second involves obfuscating the enclosed JavaScript. With the former type of threat, filters (such as an ASCIIHexDecode filter) are employed to change the file content to confuse antivirus engines and disable the use of signature detections. With the latter, it encrypts or obfuscates the exploit code injected into the PDF file, thereby making the exploit code impossible to differentiate from the clean JavaScript.

Between these two types of exploit, the vast majority of threats that are out in the wild are of the obfuscated JavaScript variety. That’s because it’s difficult to change the PDF file while adhering to the PDF file format, thus limiting the actions...

Gilou Tenebro | 01 Sep 2009 19:48:13 GMT

Over the past few weeks a series of blog entries were published about W32.Waledac:

Waledac – an Overview

Waledac, Part 2: Its Bootstraps and Armor

Waledac, Part 3: A Spammer, Downloader, and Infostealer – Among Other Things

If you are interested you can download a Waledac paper, posted here, which presents information on Waledac’s functionalities, possible origins, spam campaigns, and protection mechanisms. There is also more detail on Waledac’s communication protocol and task messages. The paper is based on a blog series and a threat...