Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Malicious Code
Showing posts in English
W32.Stuxnet – Commonly Asked Questions
Symantec Security Response | 16 Jul 2010 22:05:04 GMT | 0 comments

Update: The infection figures below were produced using telemetry data generated by Symantec products, and are therefore weighted towards countries with a larger Symantec install base. For more comprehensive and up-to-date infection figures, generated from traffic going directly to W32.Stuxnet command and control servers, please see our blog from July 22 or our W32.Stuxnet whitepaper.

We have received some queries recently regarding the new rootkit threat being called “Tmphider" or "Stuxnet.” This threat, discovered recently, has been garnering some attention due to the fact that it uses a previously unseen technique to spread via USB drives—among other interesting features. We have compiled some of the questions we have been...

Read more
PDF Spam is Back—Again!
Shravan Shashikant | 08 Jul 2010 20:27:31 GMT | 0 comments

Symantec detected a major spam attack using the PDF vector on July 1, 2010. The attack comprises a crafty message asking the recipient to confirm his or her phone number in a PDF file attachment disguised as a phone bill. The payload within the PDF is a Trojan that is detected by Symantec as Trojan.Pidief.I, which exploits the Adobe Acrobat and Reader CVE-2010-0188 Unspecified Remote Code Execution vulnerability in order to drop additional malware on to the compromised computer.

Sample of the Trojan.Pidief.I attack

The attack lasted three hours and accounted for approximately 6% of all spam seen during that time, and it constituted approximately 1% of all spam seen on that day. Although PDF spam isn’t new, this is the...

Read more
Don’t Let This Email Give Your Computer A Black Eye
Hon Lau | 24 Jun 2010 11:58:09 GMT | 0 comments

We have recently seen some instances of spam email hitting our spam traps with a story about the Brazilian soccer coach Dunga, who was given a black eye by an angry fan last Sunday. The spam email has the following characteristics:
 
Subject: Tecnico Dunga e agredido por Torcedor.
 
Email body: (Translated)

Dunga trading punches with fans, and ends with black eye. The coach of Brazilian national team, Dunga, was hit on Sunday morning by a fan who was angry about not having called Ronaldinho Gaucho and Paul Henry Goose. It happened around 10:00 am yesterday in CT training in Johannesburg in South Africa, Dunga filed a complaint with the police but the accused managed to escape.
 
>> Watch the video released
 

 
The link redirects to:
redyr....

Read more
What’s Hogging my Bandwidth? Part 3 - Joining the Dots
John McDonald | 15 Jun 2010 20:18:10 GMT | 0 comments

Recap

If you missed Parts I and II of this blog series, you can find them here and here. I finished Part II promising to reveal the organization behind this sorry saga.
 
Following the trail

The trail really wasn’t very hard to follow. When we looked up some of the IP addresses from the Active Connections listing (in Part II), we found some interesting results:

This one appeared in both lists (along with several other addresses in the same subnet); the list from Derek’s computer and the one from our virus lab machine. It was also the top generator of traffic on our virus lab machine (we didn’t take such stats from Derek’s pc). Doing a...

Read more
A Zero-day Connection
Security Intel Analysis Team | 14 Jun 2010 22:37:57 GMT | 0 comments

While investigating the malware and shellcode that were associated with the recent Adobe Flash Player, Adobe Reader, and Acrobat 'authplay.dll' Remote Code Execution Vulnerability (BID 40586), we came across some interesting similarities to the malware and shellcode that were used in the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability (BID 38615) targeted attacks from March 2010.

The first similarity is in the shellcode

The image below is the function-hooking shellcode that was used in the targeted attacks against the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability in March 2010:

Below is the function-hooking shellcode that was used in the targeted attacks against the Adobe Flash...

Read more
What’s Hogging my Bandwidth? Part 2 - Analysis
John McDonald | 11 Jun 2010 15:38:44 GMT | 0 comments

Recap

I left off promising to reveal the mysterious application that was consuming my friend Derek’s bandwidth and trying to figure out how it got on his computer in the first place. Please note that all images (except one from this point on) were not actually taken from Derek’s computer, but instead were captured from a recreation of events using a honeypot computer inside our virus lab, and therefore may not accurately reflect what exactly took place on Derek’s machine.
 
Recalling events

Roughly a week prior to asking for my help, Derek had been surfing the Web, reading blogs, chatting with friends, and checking out some of his favorite sites as usual. That day he came across a video trailer for a movie that had just been released and decided to watch it. After downloading it onto his computer—which, as...

Read more
What’s Hogging my Bandwidth?
John McDonald | 02 Jun 2010 22:48:22 GMT | 0 comments

Introduction

We post a lot of blogs here about all kinds of threats, including pervasive botnets, rootkits, rogue apps, the latest flavor of spam doing the rounds, and so on and so forth. So, for a change I thought I’d talk about something a bit more personal that happened closer to home—something that happened to a good friend of mine. Not a gruesome tale by any means, but one that will hopefully be of interest to some of our less technical readers who may be able to identify with my friend’s plight. I’ve separated the story into three sections and will post them here a few days apart, each containing links to their preceding posting so anyone who missed one can easily catch up.
 
Part I – Discovery
 
A call for help

A friend of mine, Derek, recently asked me if I could help him figure out why his Internet connection had been running so slowly for the...

Read more
44 Million Stolen Gaming Credentials Uncovered
Eoin Ward | 26 May 2010 18:31:14 GMT | 0 comments

In previous blogs, Symantec has highlighted threats that steal user data. We recently analyzed a new sample submitted to Symantec and came across a server hosting the credentials of 44 million stolen gaming accounts. What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck.

This particular database server we uncovered seems very much to be the heart of the operation—part of a distributed password checker aimed at Chinese gaming websites. The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games....

Read more
A Brief Look at Zeus/Zbot 2.0
Karthik Selvaraj | 03 May 2010 20:35:39 GMT | 0 comments

Zeus/Zbot is one of the most widely known Internet threats today. It’s been around since 2007 and has evolved over time, and is still in a constant state of being developed into a stronger, more prolific Trojan.
 
A few weeks ago we came across a variant of Zbot representing the fact that it has undergone code refactoring and some functional changes in the Trojan's infection technique and behavior. The variant is now known as version 2.0 (named after the Trojan builder kit version).
 
In overview, for the common PC user, new changes mean that:
 

  • Your PC could have multiple infections of Zbot, thereby sending your personal information to multiple Zbot controllers.
  • Zbot is aiming for information from different browsers, including Firefox.
  • Zbot is expanding its ability to run in newer operating systems such as Windows 7.
  • Zbot is in constant development, so it might be around for...
Read more
Qakbot Steals 2GB of Confidential Data per Week
Patrick Fitzgerald | 22 Apr 2010 19:19:21 GMT | 0 comments

Our previous blog entries about W32.Qakbot gave details about how the threat works, how it spreads, and its capabilities for stealing information. This entry focuses on the scale and type of data Qakbot has been successful in acquiring.

Stealing data

Qakbot monitors compromised computers for sensitive information and uploads the stolen data to an FTP server. The FTP server information is downloaded from the botnet and can change over time. Here is an example of a recent FTP configuration:

exec=!var ftphost_1=ftp.df[REMOVED]
exec=!var ftphost_2=web1[REMOVED]
exec=!var ftphost_3=ftp.su[REMOVED]
exec=!var ftphost_4=ftp.ab[REMOVED]
exec=!var ftphost_5=ftp.51[REMOVED]
exec=!var ftphost_6=ftp.fan[REMOVED]

While analyzing this threat we gained...

Read more