Video Screencast Help
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Symantec Security Response | 16 Aug 2010 18:14:25 GMT

A few days ago we came across an interesting application in the Android Market, which we’ve decided to detect as AndroidOS.Tapsnake. Why are we detecting this? A cursory read through the description doesn’t tell us much, other than it’s a spin on the classic “snake” video game, which dates back to the 1970s:

"Yet another modification of the Google Android Snake game. This one listens to the taps for its turn directions." 

Sure enough, after downloading and registering the game it plays as you might expect it to:

However, the Android “satellite” icon appeared in the top menu bar while the game was running, indicating that GPS data was being...

Andrea Lelli | 13 Aug 2010 17:01:29 GMT

We have seen many threats that use file-sharing applications in order to spread to other computers. Typically these threats would scan a compromised computer for the shared folders of these programs, and if found would copy themselves into those folders mimicking names that are popular in search queries (e.g. popular pirated softwares, games, or cracks).

W32.Changeup does not scan for existing file-sharing applications, but it does do something unusual. It will actually install a well-known application called Emule and use it to share itself, mimicking tens of thousands of file names from popular user searches. Let’s have a closer look.

Changeup may arrive on a computer in several ways. As we have seen, it may use the Microsoft Windows Shortcut 'LNK' Files Automatic...

Samir_Patil | 13 Aug 2010 15:56:06 GMT

Symantec Security Response is currently monitoring a wave of email spam that contains a threat detected by Symantec as Trojan.Zbot. This Trojan arrives as a .zip attachment in an email that purports to contain a legitimate attachment, such as a birthday invitation, photos, or resume. However, the attached zipped executable file is a malicious threat. The attachment file size is 119 KB and can have a pseudo-random file name such as “lance,” “NH ESS Access Guidelines (2).zip,” “,” “,” “,” “,” "ARICertificate-C4H736 +," or "Inv 2985 Cool Cash"

This Trojan has primarily been designed to steal confidential information, such as online credentials or banking details, but it can be customized to gather any sort of...

Takashi Katsuki | 09 Aug 2010 19:51:21 GMT

Last year I wrote a blog entry entitled The Fight Against Malicious PDFs Using the ASCII85Decode Filter, which is about a threat that uses the ASCII85Decode filter to hide itself. Since that time, some Adobe Reader vulnerabilities have been found, including a recent zero-day vulnerability. However, attackers like to use not only direct exploitation, but also social engineering. I think this is because patches can fix software vulnerabilities fairly easily, but social engineering requires us (as potential victims) to understand and know what is dangerous, which is never easy.

More recently, I have discovered a social engineering threat that uses a PDF file as a “container” file. This PDF threat contains a 7-Zip file as...

Nicolas Falliere | 09 Aug 2010 13:46:28 GMT

A few months ago, I described the features of W32.Sality in these two blog entries. This well-known virus propagates by infecting Windows executable files. Infected computers also make up a fully decentralized peer-to-peer network, which is used to propagate digitally signed packages of URLs that the bots will download and run malicious files from. The discovery of the LNK vulnerability (BID 41732), initially used by Stuxnet, gave malware authors a cheap, easy, and effective way to propagate their creations.

The Sality gang didn’t waste much time and jumped on the bandwagon in the early days of August. However, it seems that it was only this past weekend that they decided to leverage their botnet to potentially infect even more computers. The latest...

Nicolas Falliere | 06 Aug 2010 19:01:51 GMT

As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.

Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own...

Mathew Maniyara | 05 Aug 2010 21:21:48 GMT

July 2010 was the month for phishing attacks on Indian banks. A three percent increase in phishing attacks on Indian banks from the previous month has been observed. In particular, Symantec has observed phishing websites that spoofed the Oriental Bank of Commerce—several phishing URLs spoofing the bank were reported in the month of July. In fact, the bank was one of most targeted Indian banking brands during the month.

The phishing site that spoofed the login page of the bank asks for confidential information, such as the customer’s e-mail ID and transaction password. The fraudster’s motive of stealing the login credentials was financial gain. A free webhosting site hosted the phish site. It is quite evident that fraudsters are targeting Internet banking users by increasingly creating more phishing sites and spoofing as many popular Indian brands as possible.



khaley | 05 Aug 2010 17:03:25 GMT

Who would have thought that in 2010 we would have an attack based on—wait for it—sneakernet. The latest high-profile example of this is W32.Stuxnet. In the hoopla over some of the more racier aspects of Stuxnet, this part is being ignored. And I don’t think it should be. We’ve been tracking the growing usage of this attack vector (USB thumb drives and the like being shared between computers) for years. In 2009, 72% of malicious code samples causing potential infections propagated using this mechanism, as discussed in the Symantec Internet Security Threat Report, Vol. XV. Why? Because it works. Nothing proved that more than...

Andrea Lelli | 29 Jul 2010 22:33:26 GMT

The Ackantta mass-mailing worm made its first appearance about a year and a half ago. Since then, it has continued to evolve and update its malicious features. We have recently observed one of the latest samples, from the variant W32.Ackantta.B@mm, which demonstrates very interesting tricks and strategies that greatly improve the worm’s stealthiness and its spreading capabilities.

Main purpose:  advertise

Ackantta does not limit itself to spreading to new computers. The purpose of the worm is to drop and run a copy of Trojan.Mozipowp, a Trojan that specializes in advertising. Mozipowp will hijack major Web browsers (Firefox, Opera, Chrome, Internet Explorer) in order to display targeted advertisements on the compromised computer.


Liam O Murchu | 26 Jul 2010 05:16:58 GMT

Previously in our series of blogs about Stuxnet we wrote about the installation details and the numerous files that are associated with the threat. In this installment I will discuss the network communication and command and control functionality of W32.Stuxnet. Although some of the tasks that the threat performs are automated, other tasks are performed only after the threat has connected to the command and control server and received specific instructions. It is this aspect of the threat that will be discuss here.

After the threat has installed itself, dropped its files, and gathered some information about the system it contacts the C&C server on port 80 and sends some basic information...