Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Malicious Code
Showing posts in English
W32.Changeup Installing and Running eMule
Andrea Lelli | 13 Aug 2010 17:01:29 GMT | 0 comments

We have seen many threats that use file-sharing applications in order to spread to other computers. Typically these threats would scan a compromised computer for the shared folders of these programs, and if found would copy themselves into those folders mimicking names that are popular in search queries (e.g. popular pirated softwares, games, or cracks).

W32.Changeup does not scan for existing file-sharing applications, but it does do something unusual. It will actually install a well-known application called Emule and use it to share itself, mimicking tens of thousands of file names from popular user searches. Let’s have a closer look.

Infection
Changeup may arrive on a computer in several ways. As we have seen, it may use the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution...

Read more
Spam Carrying Malicious Infostealer
Samir_Patil | 13 Aug 2010 15:56:06 GMT | 0 comments

Symantec Security Response is currently monitoring a wave of email spam that contains a threat detected by Symantec as Trojan.Zbot. This Trojan arrives as a .zip attachment in an email that purports to contain a legitimate attachment, such as a birthday invitation, photos, or resume. However, the attached zipped executable file is a malicious threat. The attachment file size is 119 KB and can have a pseudo-random file name such as “lance armstrong.zip,” “NH ESS Access Guidelines (2).zip,” “pricing.zip,” “invitation.zip,” “Resume.zip,” “Allhotels.zip,” "ARICertificate-C4H736 + FVM4X48.zip," or "Inv 2985 Cool Cash App.zip."

This Trojan has primarily been designed to steal confidential information, such as online credentials or banking details, but it can be customized to gather any sort of...

Read more
PDF Container Threat
Takashi Katsuki | 09 Aug 2010 19:51:21 GMT | 0 comments

Last year I wrote a blog entry entitled The Fight Against Malicious PDFs Using the ASCII85Decode Filter, which is about a threat that uses the ASCII85Decode filter to hide itself. Since that time, some Adobe Reader vulnerabilities have been found, including a recent zero-day vulnerability. However, attackers like to use not only direct exploitation, but also social engineering. I think this is because patches can fix software vulnerabilities fairly easily, but social engineering requires us (as potential victims) to understand and know what is dangerous, which is never easy.

More recently, I have discovered a social engineering threat that uses a PDF file as a “container” file. This PDF threat contains a 7-Zip file as an attachment...

Read more
Sality Goes LNK
Nicolas Falliere | 09 Aug 2010 13:46:28 GMT | 0 comments

A few months ago, I described the features of W32.Sality in these two blog entries. This well-known virus propagates by infecting Windows executable files. Infected computers also make up a fully decentralized peer-to-peer network, which is used to propagate digitally signed packages of URLs that the bots will download and run malicious files from. The discovery of the LNK vulnerability (BID 41732), initially used by Stuxnet, gave malware authors a cheap, easy, and effective way to propagate their creations.

The Sality gang didn’t waste much time and jumped on the bandwagon in the early days of August. However, it seems that it was only this past weekend that they decided to leverage their botnet to potentially infect even more computers. The latest package downloaded...

Read more
Stuxnet Introduces the First Known Rootkit for Industrial Control Systems
Nicolas Falliere | 06 Aug 2010 19:01:51 GMT | 0 comments

As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.

Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own...

Read more
Phishing Attacks on Indian Banks on the Rise
Mathew Maniyara | 05 Aug 2010 21:21:48 GMT | 0 comments

July 2010 was the month for phishing attacks on Indian banks. A three percent increase in phishing attacks on Indian banks from the previous month has been observed. In particular, Symantec has observed phishing websites that spoofed the Oriental Bank of Commerce—several phishing URLs spoofing the bank were reported in the month of July. In fact, the bank was one of most targeted Indian banking brands during the month.

The phishing site that spoofed the login page of the bank asks for confidential information, such as the customer’s e-mail ID and transaction password. The fraudster’s motive of stealing the login credentials was financial gain. A free webhosting site hosted the phish site. It is quite evident that fraudsters are targeting Internet banking users by increasingly creating more phishing sites and spoofing as many popular Indian brands as possible.

 

...

Read more
Sneakernet Revisited
Kevin Haley | 05 Aug 2010 17:03:25 GMT | 0 comments

Who would have thought that in 2010 we would have an attack based on—wait for it—sneakernet. The latest high-profile example of this is W32.Stuxnet. In the hoopla over some of the more racier aspects of Stuxnet, this part is being ignored. And I don’t think it should be. We’ve been tracking the growing usage of this attack vector (USB thumb drives and the like being shared between computers) for years. In 2009, 72% of malicious code samples causing potential infections propagated using this mechanism, as discussed in the Symantec Internet Security Threat Report, Vol. XV. Why? Because it works. Nothing proved that more than...

Read more
The Evolution of W32.Ackantta.B@mm
Andrea Lelli | 29 Jul 2010 22:33:26 GMT | 0 comments

The Ackantta mass-mailing worm made its first appearance about a year and a half ago. Since then, it has continued to evolve and update its malicious features. We have recently observed one of the latest samples, from the variant W32.Ackantta.B@mm, which demonstrates very interesting tricks and strategies that greatly improve the worm’s stealthiness and its spreading capabilities.

Main purpose:  advertise

Ackantta does not limit itself to spreading to new computers. The purpose of the worm is to drop and run a copy of Trojan.Mozipowp, a Trojan that specializes in advertising. Mozipowp will hijack major Web browsers (Firefox, Opera, Chrome, Internet Explorer) in order to display targeted advertisements on the compromised computer.

...

Read more
W32.Stuxnet – Network Operations
Liam O Murchu | 26 Jul 2010 05:16:58 GMT | 0 comments

Previously in our series of blogs about Stuxnet we wrote about the installation details and the numerous files that are associated with the threat. In this installment I will discuss the network communication and command and control functionality of W32.Stuxnet. Although some of the tasks that the threat performs are automated, other tasks are performed only after the threat has connected to the command and control server and received specific instructions. It is this aspect of the threat that will be discuss here.

After the threat has installed itself, dropped its files, and gathered some information about the system it contacts the C&C server on port 80 and sends some basic information...

Read more
Zlob.P – DNS Poisoning at Home
Fred Gutierrez | 21 Jul 2010 13:58:37 GMT | 0 comments

We have seen several threats that alter DNS settings in the past; however this Zlob variant will do more than just change DNS settings. It will take advantage of popular search engines and make money for itself using ads and affiliates. In this reincarnation, Zlob has three effective states. The first state is when the Trojan infects the computer and installs itself. This is done partly by calculating a cyclical redundancy check (CRC) of when Windows was installed. The second state discovers network topology and reconfigures settings. If accessible, it will even attempt to log in to your router. The third state deals with browser traffic. The Trojan will perform a man-in-the-middle attack and change what the user sees and does, accordingly. We will take a look under the hood and analyze each of these states more closely. 

State I: Installation

In order to ensure that...

Read more