Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Malicious Code
Showing posts in English
Jailing the Butterfly
Vikram Thakur | 02 Mar 2010 23:52:16 GMT | 0 comments

In October 2009 we started tracking the Mariposa, or Butterfly, botnet. At that time, a security company had reported that a large number of Fortune 100 companies had been infected with this threat. Earlier today, news came out that the same firm had worked with the appropriate authorities in arresting alleged key members of the Mariposa botnet.

Back in October 2009 we also blogged about this bot's capabilities, in a brief post called The Mariposa Butterfly. Later that month we were able to get our hands on a toolkit being sold in underground forums that clearly demonstrated the bot's capabilities. More information about that is available in...

Read more
Spammers Rumbling as Chile Earthquake Strikes
Vivian Ho | 01 Mar 2010 19:33:12 GMT | 0 comments

The biggest news flashes for the last 48 hours involve reports of the devastating earthquake that struck near the coast of Chile, along with the tsunami threat to the Pacific region. As the extent of the damage due to the disaster remains unclear, people are eager to seek more information about the quake from any means possible.

Symantec has observed spammers trying to capitalize on the disaster headlines by sending out virus attacks less than a day after the quake. Below is a sample message:

Header:

From: <suporte.email@<removed>
Subject: Terremoto no Chile

Translation:

Subject: Earthquake in Chile

In this message, spammers are using earthquake-related subject lines to lure recipients to open the email, which includes snippets of earthquake news in the body of the message. An image of a collapsed building, purportedly a still image from a video embedded in the email,...

Read more
Daily Homework – Log in to Your Social Network Account
Vivian Ho | 26 Feb 2010 00:04:00 GMT | 0 comments

How many social network accounts do you have? How much time do you spend on your network content and application updates? How many discussion boards or blogs or pictures or games do you need to maintain in each network service?

Besides email and instant messenger programs, social network services have become important media for people to maintain their relationships or business exposure. There are, of course, myriad risks associated with exposing your personal details online when you are not aware of setting proper privacy rules, such as those suggested by the social network services.

Spammers have yet another channel available to send their “love” to you.

Have you had the pleasure of your newly registered social network account sending you tons of friendship invitations on a daily basis? Or, in addition, that same account sends out numerous friendship invitations to your contacts without your consent? Or, have you started receiving lots of junk...

Read more
Do They Know it’s (not) Christmas Time at All?
Hon Lau | 19 Feb 2010 21:51:59 GMT | 0 comments

I saw something quite funny when checking out the spam feeds the other day. An attachment kept appearing, once in a while, with a name of Christmas Card.zip. It was making sporadic appearances in the feeds (and the number of spam email messages was quite low), but there were a couple of these odd messages at equally odd hours of the day:

xmas-candles_spam3.gif

The email message itself was a run-of-the-mill electronic greeting card with an HTML body containing a nice Flash animation—the Flash animation actually comes from a legitimate source (123greetings.com). The email body contains a message asking the user to open the attachment to see who sent the email. Of course, opening the attachment yields a malicious file. The name of the file inside is Christmas Card.htm[MANY SPACES].exe and it is already detected by Symantec as...

Read more
Reputation-based Security: Suspicious.Insight detections on Virus Total
Gerry Egan | 19 Feb 2010 19:01:38 GMT | 0 comments

We recently upgraded our scanner on Virus Total to include our new reputation-based security engine. That has caused a spike in our detection rates, in particular Suspicious.Insight detections, and so I thought I’d take a few minutes to explain some of the background and what is going on.

So what exactly is a Suspicious.Insight detection? These detections are derived from Symantec’s new reputation-based security technology. They highlight files that have not yet developed a strong reputation (either good or bad) amongst Symantec’s community of users. Our goal is to keep our users’ machines safe, and part of achieving that goal means helping our users make informed choices about the files they allow on to their systems. Suspicious.Insight detections help shine a...

Read more
“Kneber” = Zeus
Kevin Haley | 18 Feb 2010 20:57:54 GMT | 0 comments

Recently, Symantec observed some high-profile coverage of a threat being reported as a new type of computer virus known as “Kneber.” In reality Kneber is simply a pseudonym for the Zeus Trojan/botnet. The name Kneber refers to a particular group, or herd, of zombie computers (a.k.a. bots) being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot that also goes by the name Zeus, which has been observed, analyzed, and protected against for some time now.
 
Since Zeus/Zbot toolkits are widely available on the underground economy, it is not uncommon for attackers to create new strains, such as Kneber, of the overall Zeus botnet. Though it is true that this Kneber strain of the overall Zeus botnet is fairly large, it does not involve any new malicious threats. Thus, Symantec customers with up-to-date security software should already be...

Read more
The Pupil Usurps the Master—Not So Fast
Hon Lau | 17 Feb 2010 20:28:00 GMT | 0 comments

Since as far back as I can remember there has always been talk of rivalry and wars between various malware creators. The testosterone-fuelled battles may have even been encouraged by the media running stories of how such-and-such botnet “has X million nodes,” egging the botnet herders to try and outwit and outgrow each other in a competition to grab market share.
 
Take, for example, the Zeus botnet (Trojan.Zbot). This has been around for some time and has now developed into a mature piece of malware that is widely sold and used by wannabe eCriminals to steal information from hapless victims throughout the Internet. The ease of use afforded by the Zeus Trojan builder has helped it achieve its notorious status as one of the most widely seen bots in the world.
 
As with the gold rush in the previous centuries, some people learned that it was...

Read more
Tidserv and MS10-015
Mircea Ciubotariu | 13 Feb 2010 01:17:40 GMT | 0 comments

In the past, viruses and computer threats were created simply for the sake of it. Sometimes these threats would wipe your hard drive clean—just to let you know you’d been owned. This is not the case anymore; nowadays most of the threats we see are profit-oriented and try to keep a very low profile so that they aren't easily detectable by security software.

Backdoor.Tidserv does a very good job in that sense, especially with the latest version (TDL3), which uses an advanced rootkit technology to hide its presence on a system by infecting one of the low-level kernel drivers and then covering its tracks. While the rootkit is active there is no easy way to detect the infection, and because it goes so deep into the kernel, most users cannot see anything wrong in the system.

Most of the time the driver chosen by Tidserv to be infected is “atapi.sys,” but...

Read more
SpyEye Bot versus Zeus Bot
Peter Coogan | 04 Feb 2010 18:36:42 GMT | 0 comments

The Zeus crimeware toolkit has been around now for a while and has grown over time to be the most established crimeware toolkit in the underground economy. In late December 2009 a new crimeware toolkit emanating from Russia—known as SpyEye V1.0—started to appear for sale on Russian underground forums. Retailing at $500, it is looking to take a chunk of the Zeus crimeware toolkit market. Symantec detects this threat as Trojan.Spyeye. Since it is relatively new, we are not seeing a lot of SpyEye activity yet. However, given some time and the observed rate of development for this crimeware toolkit, SpyEye could be a future contender for king of the crimeware toolkits.

SpyEyeLogo.JPG...

Read more
Did the Job of Security Software Just get Bigger?
Con Mallon | 03 Feb 2010 21:01:06 GMT | 0 comments

Well, it looks that way. We are only just into the second month of 2010 and yet we can now see, in prospect, a whole new raft of innovation coming our way. At CES a lot of the attention was with respect to eBook readers and new slate/tablet based PCs. These new devices are squarely focused on digital content. The success of Amazon and Apple in the digital content arena clearly shows that there is a big market for digital content and that money can be made as a result. We have seen a lot of activity in the eBook reader market, with many companies starting to launch products. Amazon, with the Kindle, has very much been the vanguard of showing how this can all come together.
 
CES also witnessed a range of announcements with respect to tablet computers. We saw products from HP, Lenovo (interesting cross-over laptop/tablet device), Sony, Archos, etc. Many of these products will start to come to market mid-point this year. Some people commented that these CES...

Read more