Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Evolution of Security
Showing posts in English
Ben Nahorney | 20 Oct 2009 11:37:29 GMT

Rogue security software scams are everywhere these days. The numbers are quite staggering—over 250 distinct programs racking up 43 million installation attempts, according to our new Report on Rogue Security Software.

Still, when it comes down to functionality and code base, it’s more akin to a few people with really large wardrobes. There might be dozens of variations of the same underlying program, each receiving minor updates and a new software skin. They even use the same fake threat names when attempting to scam you—stuff like “Spyware.Monster” or “Spyware.IEmonster”.

Ultimately what we’re looking at is variety in graphic design rather than functional design. We’ve put together a video to show just that. Our report calls these threats Antivirus200X—a “family” of rogue security...

Téo Adams | 19 Oct 2009 17:06:33 GMT

Given their financial motivations, the distributors of rogue security software scams need to affect a broad number of potential victims. Getting the program onto a victim’s computer is a critical step in rogue security software scams and the scammers use a variety of techniques to do so. While some rogue security software programs rely on just a few specific techniques to achieve this, many of them incorporate multiple techniques to improve the odds of success. The distribution techniques for rogue security software programs can be simplified into two groups: installation methods and advertising methods.

The installation methods for rogue security software can either be intentional or unintentional. Scammers who persuade victims that they need the rogue software to address security concerns lure the victims into downloading the software intentionally. This is a common approach to rogue security software installation that was used by 93 percent of the top rogue security...

khaley | 19 Oct 2009 12:11:08 GMT

In the 80’s I lived in NYC. At the time, enterprising hustlers had re-introduced the old Three Card Monte con game to NYC streets. Like wide ties and frozen yogurt shops, Three Card Monte always seemed to come back into fashion. Before you knew it, the streets were full of grifters running games. Whole blocks would be lined with these low-rent con men, standing behind cardboard boxes, tossing cards and asking the suckers to put their money on the red queen.
 
How could there be that many bad guys running Three Card Monte scams at one time? Well, there was plenty of money to be made, and it drew the criminal element like flies to honey. Grifters were making a lot of money at the con and every two-bit chiseler wanted their own piece of the action. Plus, there was very little needed to get in on the scam. The barrier to entry was low. You only need three playing cards, a couple of...

Nicolas Falliere | 16 Oct 2009 16:00:11 GMT

Let’s continue our Trojan.Clampi blog series by discussing three more modules downloaded and executed by Clampi. These modules share the common goal of gathering information, private or not, contained on the compromised computer. They don’t intercept network traffic like the Logger module does (described in my previous blog).

The PROT module
This module gathers private information from several sources, including Protected Storage (PStore), which contains user credentials stored by Internet Explorer or Outlook for instance. Interestingly, it also sets specific registry values in order to facilitate the creation of new entries in the PStore.
For instance, it sets the following registry entires:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet...
Gilou Tenebro | 14 Oct 2009 11:25:26 GMT

Trojan.Bredolab is a threat that has been distributed widely and consistently this year. This research paper takes a closer look at the Trojan to discover how it works, why it’s so widespread, and the motivations behind it.

In short, Bredolab is distributed by spam emails and drive-by-download attacks. (In fact, last month we blogged about a wave of spam emails used to distribute it.) Once it’s on a computer, Bredolab downloads and installs a variety of other threats. This process is outlined in the following diagram.
 
bredo_attacks_BN.jpg

We have seen Bredolab downloading password stealers, bots, rootkits, backdoors, and misleading applications.  Some...

Marc Fossi | 13 Oct 2009 19:38:07 GMT

In the fight against cybercrime, cooperation between security industry leaders, law enforcement, and Internet technology providers is becoming ever-more important; case in point, Conficker, which received so much attention earlier this year. To address this threat, the Conficker Working Group—a large-scale collaborative effort among security vendors, law enforcement agencies, and ISPs—was formed with successful results.

This week, technology industry, government, and law enforcement leaders from around the globe have converged upon Microsoft’s Redmond, WA campus for the first-ever meeting of the Digital Crimes Consortium. Symantec is a platinum sponsor of the Digital Crimes Consortium and is partnering with Microsoft on this important initiative. In addition, myself and fellow Symantec Security Technology and Response expert Jeff Wilhelm are presenting on key security topics at the event.

The consortium is intended to be a foundation for building a...

Symantec Security Response | 13 Oct 2009 14:35:50 GMT

Malware authors often leave hidden messages in files for analysts to find or for other malware authors to see. However, finding a curse on my whole family in a flash exploit file came as somewhat of a surprise!

The file in question was being distributed on the Internet circa June of this year and was being hosted on some Chinese domains. After decompressing the file and extracting the ActionScript I saw some Chinese characters used within the script. I don’t speak Chinese myself, so I had one of our engineers who does translate the message:

Warning.jpg
 
This roughly translates to:

“Dadong declares that: This file is used only for internal technical research, if you decrypt it your whole family will die, if you use it as a part of a Trojan your whole family will die also! If you use this file illegally you take responsibility for all results.”...

Nicolas Falliere | 12 Oct 2009 17:01:37 GMT

As mentioned in our previous blog entry, most of the Trojan.Clampi features reside in separate modules that are sent by a remote server in response to clients’ queries. In this part of this blog series, we’ll have a look at one of the modules used by the malware to steal login credentials mostly from banking Web sites.
 
This module is codenamed LOGGER by the threat. After decryption, the beginning of the module’s raw data looks like this (compressed):

blog-2-image-1.jpg

To avoid downloading the module each time Clampi runs, it is stored in the registry (in an encrypted form) in a value named “Mxx”, where “xx” is a zero-based number...

khaley | 07 Oct 2009 22:05:29 GMT

Every day when I walk into work I’m greeted by an avalanche of data on new malware and Internet scams. The numbers in the last few years have been staggering. And when you think about the people behind the numbers it can get quite sad—people who’ve had their computers taken over, been scammed, stolen from, and just plain abused by cyberthiefs. It can get to you. A lot of days I don’t feel so good. Today I feel better. The FBI just announced they will arrest nearly 100 people involved in a phishing scheme.

The FBI calls it Operation Phish Fry. Operation Phish Fry means that someone in the FBI loves a bad pun. But the important thing is it means that a whole bunch of bad guys are going to jail. It’s not going to eliminate all phishing attacks (we detected 55,389 phishing Web site hosts in 2008 alone). But this latest move takes a lot of bad guys off the Internet and...

Nicolas Falliere | 06 Oct 2009 15:45:37 GMT

Trojan.Clampi is one of the hottest malware around, and as such, received a fair amount of media coverage, as well as technical reports describing some of its functionalities. As part of our ongoing blog series, we will be discussing interesting and rarely presented aspects of Clampi. Today, we’ll introduce an important aspect of Clampi: the network communication.

First of all, if you’re not familiar with this malware already, Clampi is a Trojan horse whose main purpose is to steal private information: user passwords, login credentials, software licenses, credit card numbers, bank account information, etc. Note that Clampi’s operations are performed by helper modules, downloaded by the main executable, and stored in the Windows registry.

Once the threat is installed on a computer, it connects to one of the gateway servers listed in the registry value “GatesList...