Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Evolution of Security
Showing posts in English
The Mariposa Butterfly
John McDonald | 01 Oct 2009 14:12:07 GMT | 0 comments

There has been a flurry of news articles over the past few days on what the media appears to have labeled the Mariposa botnet, after the name a Canadian information security firm used for this particular threat. The ‘butterfly’ in the title of this article refers to the fact that the threat is believed to stem from the Butterfly bot kit, which is no longer for sale.

Several security vendors have commented that this threat isn't new, and indeed Symantec has been detecting variants of it since as early as January this year. We currently have various detection names for these samples, the majority of which are one variant or another of W32.SillyFDC, Trojan Horse or more recently Packed....

Read more
Inside the Jaws of Trojan.Clampi
Patrick Fitzgerald | 25 Sep 2009 16:45:01 GMT | 0 comments

It’s well known that malware is growing more sophisticated, but few threats have had us scratching our heads like Trojan.Clampi. In order to remove the mystery around this threat, Security Response will be publishing a series of blogs talking about various aspects of Clampi. As an introduction, we’d like to present a brief overview of the threat.

Distribution
Trojan.Clampi has been around for a number of years now. During this time it has gone through many iterations, changing its code with a view to avoid detection and also to make it difficult for researchers to analyze.

From our analysis it seems that Clampi has mainly affected machines in the US. Clampi infection rates seem to be skewed towards countries where English is the primary language.  This may indicate the first infections were as a result of malicious drive-by attacks on...

Read more
Tweeting Misleading Applications
Ben Nahorney | 24 Sep 2009 20:48:07 GMT | 0 comments

A lot can be said with 140 characters. It’s just enough to convey a point, but constricting enough to make things concise. No wonder microblogging sites such as Twitter have become so popular.

Unfortunately one of the limitations here is sharing Web pages with long URLs. In order to address this issue, URL-shortening utilities have grown in popularity on the site. Using such tools allows you to include a link well within the 140-character limit, which will redirect anyone who clicks it to the longer URL and thus the site you wanted to share.

There’s one downside here, from a security point of view—you’ll often have no idea where the link leads until you click it. Clicking any link like this is entirely a security leap of faith. Unfortunately malware authors have caught on to this and are currently distributing misleading applications using these shortened URLs. Using enticing tweets and commonly used twitter search terms, their goal is to get...

Read more
Not all Reputation Technologies are Created Equal
Gerry Egan | 22 Sep 2009 19:04:27 GMT | 0 comments

Have you ever noticed how movies tend to come in waves? A few years ago it seemed like every action movie had a space theme; then the following year the big new movies featured some kind of natural disaster. This past summer it seemed like every other movie was in 3-D. Technology, as we all know, has waves too, and the security industry is no different. For example, recently there has been a lot of talk about reputation-based security and suddenly it seems like every vendor is claiming to have some type of reputation technology. But, not all technologies are created equal, so I thought I’d take a few minutes to look at what makes Symantec’s reputation-based technology so very different.

Why is a new approach needed?

Two fairly recent trends have had a negative impact on the effectiveness of traditional approaches to security. First, many of today’s threats are highly polymorphic—they are able to easily hide because nearly every instance of...

Read more
Busy Days for the Koobface Gang
Symantec Security Response | 01 Sep 2009 13:33:48 GMT | 0 comments

Koobface is a worm that infects users by using social engineering attacks. It spreads by abusing social networking websites such as Facebook, Twitter, and MySpace, or by employing search engine optimization (SEO) techniques to lure potential victims to malicious sites.

We have been monitoring Koobface for a while now, and here we have some findings based on analyzing data collected over three weeks. These findings shed some light onto the modus operandi of the gang behind Koobface and the effectiveness of its techniques.

The infrastructure used by the Koobface gang is relatively simple: a central redirection server redirects victims to one of the infected bots where the actual social engineering attack takes place. While the central redirection point has been actively targeted by take-down requests, the Koobface gang has so far been quick to replace suspended domain names and blacklisted IPs with new ones. The figure below shows the timeline of some of the...

Read more
I Want More Obfuscation!
Nishant Doshi | 27 Aug 2009 14:59:54 GMT | 0 comments

Did I just say that? Usually security researchers hate obfuscation. But I say, let them obfuscate more!

Obfuscation is a loosely defined term, but it basically refers to a method of concealing your exploit code to avoid detection. Attackers employ various techniques and methodologies to achieve obfuscation. Some techniques are very clever and take even the most seasoned security researcher by surprise. In most cases, attackers try to obfuscate their exploit by stretching the limits of the language or protocol they are using. Some take advantage of the detection engine limitations as well.

Today many detection engines parse files and network streams to detect vulnerabilities and odd behavior by using pattern-matching algorithms. However, in many cases the detection logic used has some limitations and assumptions built in. Some limitations stem from the architecture of the detection engine, and some stem from the risk of a false positive. In this cat and mouse game,...

Read more
Zeus, King of the Underground Crimeware Toolkits
Peter Coogan | 25 Aug 2009 19:43:45 GMT | 0 comments

The Zeus crimeware toolkit has been around now for some time and is well established in the underground economy as being an easy-to-use and powerful tool for stealing personal data from remote systems. Initially linked to a group of criminals known as the “Rock Phish” group and targeting worldwide financial institutions, the toolkit has since become widely available both for sale and for free on underground forums.

The following video provides an insight into the Zeus crimeware toolkit, the underground economy, and distribution methods for the Trojan:

 

...
Read more
Twitter Filter Aimed at Killing Malicious Links
Zulfikar Ramzan | 20 Aug 2009 09:21:51 GMT | 0 comments

Recently, Twitter implemented technology to help stem the threat of malicious URLs being propagated though its service. This approach seems to be a great effort on the part of Twitter to prevent attackers from tweeting malicious links.

It appears as if the tool is filtering tweets and comparing any embedded URL to their list of known malicious sites. Trying to determine whether a URL points to a malicious website in a large-scale automated fashion, especially in today’s threat landscape, is a challenging problem. From my perspective, there are a few issues that need to be worked out. Twitter is likely in the nascent stages of addressing these types of issues and we expect they will try to overcome the associated limitations.

To date we've only seen a relatively small number of attack attempts involving malicious URLs on Twitter. URL-shortening services are often at the heart of these types of attacks as bad guys try to take advantage of the system to disguise...

Read more
Not all Security Vendors are Created Equal
Kevin Haley | 18 Aug 2009 23:24:39 GMT | 0 comments

Many years ago I worked in the network router business. Back then, as a product manager, I wrote datasheets. Yeah, exciting stuff, but you have to start somewhere. There were these datasheets—the backs of them always contained what we called the "speeds and feeds," which included the different types of connections the router supported, the different protocols, and the performance numbers. If you knew nothing about routers and networking protocols it must have looked like just a bunch of incomprehensible numbers.

When I look through some versions of the Symantec Internet Security Threat Report I can’t help but think of those speeds and feeds I use to write. You could look at the data in the ISTR as just a bunch of numbers. Although, one of the things I like about the ISTR is how easy to read and accessible it is. So, my speeds and feeds analogy breaks down here. I think it is likely that some people do look at the report as a bunch of numbers and find it...

Read more
Downloader, Micro-blogging, and Prophecy
Symantec Security Response | 16 Aug 2009 11:39:09 GMT | 0 comments

We posted a blog "Twittering Botnets" a few days ago that gave details of malware that receives obfuscated URLs from Twitter messages. This malware is detected as Downloader.Sninfs. This blog also made a prophecy that alternative sites could be used in the same fashion, and unfortunately this one has come true.

A new variant of this threat has emerged that uses not only Twitter, but also another social networking and micro-blogging site Jaiku.com. Symantec detects this Trojan as Downloader.Sninfs.B.

Like the previous variant, Downloader.Sninfs.B also attempts to get URLs from obfuscated Twitter status messages. However, if that attempt fails, the Trojan will use the...

Read more