Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for October of 2009
Showing posts in English
Ben Nahorney | 26 Oct 2009 06:24:31 GMT

I came across something interesting while chasing up a fake antivirus lead the other day. As we often do here when looking for new threats, I visited the malicious URL and ran through the standard steps to download and install the risk. (Video of the threat follows below.)

It was one of those run-of-the-mill fake codec sites. You go to a page to watch a video, only it tells you that you don’t have the correct codec to watch it. You’re prompted to install a “codec”, but then bam!—an unexpected antivirus scan starts running on your computer.

In this case, while I was presented with a typical installation routine, an error message appeared at the end. This is also not uncommon, often meant to make the user think the codec failed to install, which they might believe is why they still can’t watch the video afterwards.

What was interesting was that no fake security scan appeared afterwards. However, I noticed the all-too-familiar...

Mayur Kulkarni | 23 Oct 2009 16:55:34 GMT

People are always curious about different theories on tragedy, especially those involving airplanes or ship accidents. In fact, even after the Titanic sank decades back, hundreds of books were published and movies developed based on expert views. Malicious software authors use information related to similar tragedies to entice recipients into clicking on virus-laden links. We mentioned one such example of this in our blog last year after the earthquake in China in June 2008.

In a new spam campaign, recipients are lured by contradicting information published by a news agency regarding 9/11 Pentagon damage. Users are encouraged to spot a plane in the pictures, which are included in the email. They are also supplied with a URL link to access more information. This link redirects users to a hijacked website that will point to an HTA file (a program that can be run from an HTML document). When users...

Nicolas Falliere | 23 Oct 2009 08:20:58 GMT

Today, we’ll discuss the two remaining Clampi modules used for replication and traffic relay capabilities. The SOCKS module is very straight-forward—it’s a SOCKS proxy server. Normal SOCKS proxy servers act as a connection relays and are used for many purposes, such as connection filtering, passing traffic through firewalls, or to maintain anonymity.

The server’s code is injected into an instance of Internet Explorer. It then listens for incoming connections on a random TCP port above 5000. The SOCKS module is activated in response to a control server’s command. The client then sends the port it’s listening on for inbound connections to the proxy server:


In the above example, the SOCKS server will be listening to port 38329 (which is 0x95B9 in hexadecimal base).

Usually, relay servers like this one expect authentication from the...

Gaurav Dixit | 22 Oct 2009 16:39:27 GMT

Misleading applications, also known as rogue applications, have always tried to lure users into their traps by using various techniques such as fake security scans, misleading task bar notifications, popup windows, etc. To take this to a new level, developers of these applications are now frequently changing the product name and its associated website name in order to mislead users and antivirus vendors. Clones of the same product—with different names—continue to appear almost every day. Earlier this week Symantec published its Report on Rogue Security Software, which discusses misleading apps in greater detail. A couple of examples of rogue security software are given below. We identify one such family of rogue or misleading applications as WiniGuard:


Those who...

M.K. Low | 21 Oct 2009 17:26:34 GMT

Rogue security software programs, also known as misleading applications or scareware, are programs that pretend to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provide the user with little or no protection whatsoever. Well known examples of rogue security software include AntiVirus 2009, Malware Defender 2009, and System Guard 2009.

The recently published Symantec Report on Rogue Security Software includes a discussion on a number of servers that Symantec observed hosting these misleading applications from July to August 2009....

Nicolas Falliere | 20 Oct 2009 15:40:27 GMT

This chapter in our Clampi saga brings us back to the malware’s logging facility. As we saw before, one of Clampi’s modules, codenamed LOGGER, is responsible for logging outgoing information going to a determined list of URLs – stored in a data file as CRCs.

One problem arises with banking sites that preprocess the user’s personal information before sending it over HTTPS—it’s done using client-side JavaScript.  For instance, a hash of the input PIN number could be sent instead of the PIN number itself. This mechanism adds an extra layer of security, preventing malware from sniffing network traffic at one end of the SSL tunnel. But still, it’s only covering one end. It’s more secure than no encryption, but still not great. At least two methods exist to get around this:

  • Setting up a keylogger using either software (...
David McKinney | 20 Oct 2009 15:12:40 GMT

The Symantec Report on Rogue Security Software includes an in-depth analysis of the methods scammers use to distribute rogue security applications. This blog presents some of the highlights of the research into the distribution of these scams.

In the report, the following distribution and advertising trends were observed:

•    Ninety-three percent of the top 50 most prevalent rogue security applications were distributed as intentional downloads. This means that victims are tricked into believing they are downloading legitimate security software and subsequently installing the rogue application.
•    Seventy-six percent of the top 50 most prevalent rogue security applications were classified as unintentional downloads. This means that the software may be installed unintentionally through drive-by downloads or...

Ben Nahorney | 20 Oct 2009 11:37:29 GMT

Rogue security software scams are everywhere these days. The numbers are quite staggering—over 250 distinct programs racking up 43 million installation attempts, according to our new Report on Rogue Security Software.

Still, when it comes down to functionality and code base, it’s more akin to a few people with really large wardrobes. There might be dozens of variations of the same underlying program, each receiving minor updates and a new software skin. They even use the same fake threat names when attempting to scam you—stuff like “Spyware.Monster” or “Spyware.IEmonster”.

Ultimately what we’re looking at is variety in graphic design rather than functional design. We’ve put together a video to show just that. Our report calls these threats Antivirus200X—a “family” of rogue security...

Téo Adams | 19 Oct 2009 17:06:33 GMT

Given their financial motivations, the distributors of rogue security software scams need to affect a broad number of potential victims. Getting the program onto a victim’s computer is a critical step in rogue security software scams and the scammers use a variety of techniques to do so. While some rogue security software programs rely on just a few specific techniques to achieve this, many of them incorporate multiple techniques to improve the odds of success. The distribution techniques for rogue security software programs can be simplified into two groups: installation methods and advertising methods.

The installation methods for rogue security software can either be intentional or unintentional. Scammers who persuade victims that they need the rogue software to address security concerns lure the victims into downloading the software intentionally. This is a common approach to rogue security software installation that was used by 93 percent of the top rogue security...

khaley | 19 Oct 2009 12:11:08 GMT

In the 80’s I lived in NYC. At the time, enterprising hustlers had re-introduced the old Three Card Monte con game to NYC streets. Like wide ties and frozen yogurt shops, Three Card Monte always seemed to come back into fashion. Before you knew it, the streets were full of grifters running games. Whole blocks would be lined with these low-rent con men, standing behind cardboard boxes, tossing cards and asking the suckers to put their money on the red queen.
How could there be that many bad guys running Three Card Monte scams at one time? Well, there was plenty of money to be made, and it drew the criminal element like flies to honey. Grifters were making a lot of money at the con and every two-bit chiseler wanted their own piece of the action. Plus, there was very little needed to get in on the scam. The barrier to entry was low. You only need three playing cards, a couple of...