Security Response

The never-ending game of hide-and-seek between the antivirus industry and rootkits has begun a new chapter. Recently our lab discovered a new rootkit sample in the wild that is very unique given the techniques it uses. It was named Backdoor.Rustock.A, and because of its special characteristics it can be considered the first born of the next generation of rootkits. Rustock.A consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used (such as RootkitRevealer, BlackLight and IceSword). We consider it to be an advanced example of "stealth by design" malicious code. [1]

So, why is Rustock.A so special? Many rootkit detectors use a cross-view based detection algorithm. This means that they detect hidden objects by finding the discrepancies between a high-level view and a low-level view. For example, a simple rootkit detector can enumerate the...

It has been said that the biggest securityproblem for computers and networks is the user. Every black hat worththeir salt knows that the best way to get information from a targetcomputer or network is to manipulate its user or users. The user setsthe password, knows what’s on the computer, and often knows how toconnect to it from outside of the organization. A little socialengineering by an attacker and then blammo!—the user and theirorganization are compromised.

Simple social engineeringcan go a long way, but the existence of certain vulnerabilities canmake the lives of these social-engineering black hats a whole loteasier. Enter the Microsoft HLINK.DLL Link Memory Corruption Vulnerability,which is a critical flaw in the Microsoft Office Excel application.Using this vulnerability, an attacker could take control of a computerby simply downloading the publicly available exploit and...

Almost everyone is aware of the nuisance caused by spam email. When we get to work in the morning we have to delete a bunch of useless messages from our Inbox before we can start the day. When we get home we have to do the same thing before getting around to reading messages from friends and family. Do you ever wonder how these spammers came by our email addresses in the first place?

There are several ways for spammers to gather email addresses to send their messages to. One of the oldest techniques involves sending a “bot” to crawl around on different Web sites, Usenet groups, and other similar Internet resources searching for email addresses. While this method works, it is time-consuming and prone to gathering addresses that are outdated and no longer in use. Another popular method involves generating email addresses using a technique called brute forcing. This method tries sending spam to addresses composed of every possible combination of letters and...

I would never associate the phrase "good ethics" with rogue anti-spyware. Maybe "questionable ethics" or, indeed, "no ethics" are phrases that would be more appropriate! We encounter questionable ethics everyday in the lab, especially when dealing with rogue applications. I will provide some information below on one of the best examples of rogue anti-spyware we have seen in the lab, called "Punisher".

Symantec detects this rogue application as Punisher, but it is also known as Remedy AntiSpy, SystemStable, HitVirus, and Adware Bazooka in the industry. Rogue applications often employ a technique of using various guises, where the application will be advertised and distributed using seemingly different software applications that all turn out to be exactly the same (except, perhaps, a different skin).

We made...