Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Elia Florio | 08 Mar 2007 08:00:00 GMT | 0 comments

Following further research and also some feedback received fromSunbelt (thanks to Alex for that) we are posting a short follow upabout the Windows Live hijack story reported yesterday.First of all, we notice that some of the domains returned by WindowsLive open popup boxes and pages with false Windows errors and problems.

This is the usual social engineering scam to induce people toinstall programs like WinFixer or ErrorSafe. Those programs aresecurity risks that may give exaggerated reports of threats on thecomputer, and they only get installed on the machine if users agree andclick “Yes” to begin the installation.

Today we were able also to verify that a subset of the bad domainsreturned by Windows Live redirect Italian computers to some maliciousWeb sites hosting several exploits and delivering malwares. Thisbehavior affects, at the...

Liam O Murchu | 07 Mar 2007 08:00:00 GMT | 0 comments

On March 5, we posted a blog about a new threat called Trojan.Bayrob that targets users of the eBay auction site and, more specifically, motor auctions. Following further research, we are able to shed some more light on the mechanics of Trojan.Bayrob. As stated previously, this attack is targeted at users who will be highly likely to buy a car on eBay, (e.g. second-hand car sales companies).

In this attack, victims are sent an email about a car that is being offered for sale. The email contains a legitimate slide show program that shows images of the car on offer; however, the email also contains the Trojan.Bayrob file. Below are two examples of what the slide show looks like. While the victim views the slide show, the Trojan is...

Eric Chien | 07 Mar 2007 08:00:00 GMT | 0 comments

Symantec has recently received a phishing email that makes use of an interesting technique of hiding a phishing site URL. When receiving a suspected phishing message, one of the methods of determining if the embedded URLs are legitimate or not is to simply pass your cursor over the underlined hyperlink and then check the URL in the status bar of your browser. In the status bar, you can see if the link belongs to the appropriate domain or not.

Using Javascript, one can alter the text in the status bar. So, when browsing on the Web in general, this isn't always a reliable technique to verify the underlying URL. However, when receiving an HTML email in an email client (including Webmail), Javascript is generally neutered so it does not execute, preventing the obfuscation of the status bar via Javascript, making this technique more reliable. However, this phishing message we recently received is able to modify what is displayed in the status bar without the use...

Elia Florio | 07 Mar 2007 08:00:00 GMT | 0 comments

Windows Live is “everything you need, all in one place” and it looks like the search engine really does know what exactly it is that Italians need! Today, we came across a story that was reported by Sunbelt about a takeover of the Italian version of the Windows Live search engine. We decided to do a bit more investigating into those rumors.

At the moment, the problem is that when someone searches a combination of specific Italian keywords on the Windows Live portal, that person will always get a set of weird links in the search results. These weird links will most likely be related to the Linkoptimizer gang (aka Gromozon)—so this likely means that the Gromozon gang has managed to take over and manipulate the search results of Windows Live by getting their links to end up on the top of the search result lists.


Masaki Suenaga | 05 Mar 2007 08:00:00 GMT | 0 comments

WordPress, a blog-publishing system written in PHP, has had a recent release of its software compromised that may allow remote code execution via a back door. While apparently limited to certain copies of 2.1.1, WordPress has since released an updated and verified version 2.1.2 and are advising people running any flavor of 2.1.1 to upgrade as soon as possible. They have also released a statement about it.

The modified code in the hacked version is contained in the following two .php files:

These files contain instructions that can grab the parameter of the WordPress hosting service URL and pass it to either the PHP script engine or the command program of the operating system, allowing the attacker to execute a remote command on the server running the hacked version of WordPress. This includes downloading and...

Liam O Murchu | 05 Mar 2007 08:00:00 GMT | 0 comments

We have recently received a new threat that targets users of the eBay auction site and, more specifically, motor auctions. The threat, named Trojan.Bayrob, is quite advanced and tries to implement a man in the middle style attack. While we have previously seen Infostealers that try to steal your username and password, a threat attempting a man in the middle attack on eBay is very unusual.

Man in the middle attacks are very powerful, but are also difficult to code correctly. Trojan.Bayrob takes the approach of implementing a local proxy server and directing traffic bound for eBay through this local proxy server. The proxy server listens on localhost port 80.

To send traffic through its proxy server, Trojan.Bayrob changes the etc/hosts files to force traffic bound for the following sites through the local proxy server:

Eric Chien | 05 Mar 2007 08:00:00 GMT | 0 comments

Recently, a new IRCbot known as Rinbot has been making the news. There are multiple variants of Rinbot (over 20 at the time of writing) and more variants are likely. However, to put Rinbot in perspective, the largest family of bots known as Spybot already has over 30,000 variants. In addition, Rinbot does not introduce any new functionality and, in fact, contains far less default functionality than the average Spybot. Based on the spread of previous variants, we don't foresee a large worldwide outbreak of Rinbot at this time. Nevertheless, just one bot infection on your network can pose trouble.

So, people shouldn't overreact to any threat posed by Rinbot itself, but instead use this opportunity to ensure they are taking proactive steps to address possible...

Orlando Padilla | 02 Mar 2007 08:00:00 GMT | 0 comments

he media surrounding the effectiveness of Windows Vista's new security features has (in my opinion) just begun. Microsoft's reach is well beyond that of any other software vendor in the world, and with this achievement comes fame, power, and a corporate life under a microscope. To honor this tradition, I previously posted an entry about the effects of malicious code executed under a default Vista environment; if you haven't read it, you are certainly encouraged to. This research has now been completed and this new entry should serve as a compliment to my previous post. A paper detailing the full research has been made available here.

The outcome of the research:

In my previous blog, I mentioned that...

Eric Chien | 28 Feb 2007 08:00:00 GMT | 0 comments

Soon after information was released about a vulnerability in the in.telnetd daemon in Solaris 10, Symantec's Deepsight monitoring system began to see spikes in port 23 traffic. Most of this traffic was due to people scanning for vulnerable systems. However, yesterday we saw a renewed spike in traffic that has been correlated to a worm known as Wanuk, which uses the vulnerability to spread.


Once Wanuk is on the system, it drops an executable that creates a /bin/sh back door, which listens on port 32982/TCP. In addition, Wanuk's payload includes sending out system broadcast messages of creatively designed shout-outs to a...

Elia Florio | 28 Feb 2007 08:00:00 GMT | 0 comments

People using Web 2.0 have personal Web spaces, blogs, and online discussions on forums and public boards. Everyone can create Web content from his or her own computer just by using the browser. So what would be the perfect vector for spreading malwares in the Web 2.0 world? The Web itself, of course.

On Monday we posted a blog about a new variant of Trojan.Mespam distributed via StormWorm/Peacomm botnet. We noticed that this new Mespam takes advantage of new Web technologies and spreads by injecting malicious links when users interact with the Web.

What does it mean? When users are going to post something on any Web site running VBulletin or phpBB, the Trojan will sneakily add a malicious link into the outgoing Web packet. The same also happens when users are sending emails using clients such as Gmail, Yahoo, Lycos, Tiscali...