Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Fred Gutierrez | 21 Jul 2010 13:58:37 GMT

We have seen several threats that alter DNS settings in the past; however this Zlob variant will do more than just change DNS settings. It will take advantage of popular search engines and make money for itself using ads and affiliates. In this reincarnation, Zlob has three effective states. The first state is when the Trojan infects the computer and installs itself. This is done partly by calculating a cyclical redundancy check (CRC) of when Windows was installed. The second state discovers network topology and reconfigures settings. If accessible, it will even attempt to log in to your router. The third state deals with browser traffic. The Trojan will perform a man-in-the-middle attack and change what the user sees and does, accordingly. We will take a look under the hood and analyze each of these states more closely. 

State I: Installation

In order to ensure that...

Symantec Security Response | 16 Jul 2010 22:05:04 GMT

Update: The infection figures below were produced using telemetry data generated by Symantec products, and are therefore weighted towards countries with a larger Symantec install base. For more comprehensive and up-to-date infection figures, generated from traffic going directly to W32.Stuxnet command and control servers, please see our blog from July 22 or our W32.Stuxnet whitepaper.

We have received some queries recently regarding the new rootkit threat being called “Tmphider" or "Stuxnet.” This threat, discovered recently, has been garnering some attention due to the fact that it uses a previously unseen technique to spread via USB drives—among other interesting features. We have compiled some of the questions we have been...

Shravan Shashikant | 08 Jul 2010 20:27:31 GMT

Symantec detected a major spam attack using the PDF vector on July 1, 2010. The attack comprises a crafty message asking the recipient to confirm his or her phone number in a PDF file attachment disguised as a phone bill. The payload within the PDF is a Trojan that is detected by Symantec as Trojan.Pidief.I, which exploits the Adobe Acrobat and Reader CVE-2010-0188 Unspecified Remote Code Execution vulnerability in order to drop additional malware on to the compromised computer.

Sample of the Trojan.Pidief.I attack

The attack lasted three hours and accounted for approximately 6% of all spam seen during that time, and it constituted approximately 1% of all spam seen on that day. Although PDF spam isn’t new,...

Hon Lau | 24 Jun 2010 11:58:09 GMT

We have recently seen some instances of spam email hitting our spam traps with a story about the Brazilian soccer coach Dunga, who was given a black eye by an angry fan last Sunday. The spam email has the following characteristics:
Subject: Tecnico Dunga e agredido por Torcedor.
Email body: (Translated)

Dunga trading punches with fans, and ends with black eye. The coach of Brazilian national team, Dunga, was hit on Sunday morning by a fan who was angry about not having called Ronaldinho Gaucho and Paul Henry Goose. It happened around 10:00 am yesterday in CT training in Johannesburg in South Africa, Dunga filed a complaint with the police but the accused managed to escape.
>> Watch the video released


The link redirects to:

John McDonald | 15 Jun 2010 20:18:10 GMT


If you missed Parts I and II of this blog series, you can find them here and here. I finished Part II promising to reveal the organization behind this sorry saga.
Following the trail

The trail really wasn’t very hard to follow. When we looked up some of the IP addresses from the Active Connections listing (in Part II), we found some interesting results:

This one appeared in both lists (along with several other addresses in the same subnet); the list from Derek’s computer and the one from our virus lab machine. It was also the top generator of traffic on our virus lab machine (we didn’t take such stats from Derek’s pc). Doing a...

Security Intel Analysis Team | 14 Jun 2010 22:37:57 GMT

While investigating the malware and shellcode that were associated with the recent Adobe Flash Player, Adobe Reader, and Acrobat 'authplay.dll' Remote Code Execution Vulnerability (BID 40586), we came across some interesting similarities to the malware and shellcode that were used in the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability (BID 38615) targeted attacks from March 2010.

The first similarity is in the shellcode

The image below is the function-hooking shellcode that was used in the targeted attacks against the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability in March 2010:

Below is the function-hooking shellcode that was used in the targeted attacks...

John McDonald | 11 Jun 2010 15:38:44 GMT


I left off promising to reveal the mysterious application that was consuming my friend Derek’s bandwidth and trying to figure out how it got on his computer in the first place. Please note that all images (except one from this point on) were not actually taken from Derek’s computer, but instead were captured from a recreation of events using a honeypot computer inside our virus lab, and therefore may not accurately reflect what exactly took place on Derek’s machine.
Recalling events

Roughly a week prior to asking for my help, Derek had been surfing the Web, reading blogs, chatting with friends, and checking out some of his favorite sites as usual. That day he came across a video trailer for a movie that had just been released and decided to watch it. After downloading it onto his computer—which, as...

John McDonald | 02 Jun 2010 22:48:22 GMT


We post a lot of blogs here about all kinds of threats, including pervasive botnets, rootkits, rogue apps, the latest flavor of spam doing the rounds, and so on and so forth. So, for a change I thought I’d talk about something a bit more personal that happened closer to home—something that happened to a good friend of mine. Not a gruesome tale by any means, but one that will hopefully be of interest to some of our less technical readers who may be able to identify with my friend’s plight. I’ve separated the story into three sections and will post them here a few days apart, each containing links to their preceding posting so anyone who missed one can easily catch up.
Part I – Discovery
A call for help

A friend of mine, Derek, recently asked me if I could help him figure out why his Internet connection had been running so slowly for the...

Eoin Ward | 26 May 2010 18:31:14 GMT

In previous blogs, Symantec has highlighted threats that steal user data. We recently analyzed a new sample submitted to Symantec and came across a server hosting the credentials of 44 million stolen gaming accounts. What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck.

This particular database server we uncovered seems very much to be the heart of the operation—part of a distributed password checker aimed at Chinese gaming websites. The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games....

Karthik Selvaraj | 03 May 2010 20:35:39 GMT

Zeus/Zbot is one of the most widely known Internet threats today. It’s been around since 2007 and has evolved over time, and is still in a constant state of being developed into a stronger, more prolific Trojan.
A few weeks ago we came across a variant of Zbot representing the fact that it has undergone code refactoring and some functional changes in the Trojan's infection technique and behavior. The variant is now known as version 2.0 (named after the Trojan builder kit version).
In overview, for the common PC user, new changes mean that:

  • Your PC could have multiple infections of Zbot, thereby sending your personal information to multiple Zbot controllers.
  • Zbot is aiming for information from different browsers, including Firefox.
  • Zbot is expanding its ability to run in newer operating systems such as Windows 7.
  • Zbot is in constant development, so it might be around for...