Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for October of 2009
Showing posts in English
Henry Bell | 19 Oct 2009 08:23:50 GMT

The most stressful thing about Halloween has always been deciding on a costume. Second place: making sure to have enough candy around for trick-or-treaters who may come a-knocking. All pretty straightforward stuff, right? This time around, though, it looks like the folks behind various rogue security software packages are using Halloween-related search engine poisoning techniques to hoist their fake scanners and other malware onto the computers of unsuspecting users.

While searching for a Halloween costume, one of my Security Response colleagues found a number of pages that – following the usual chain of JavaScript redirects – employ various techniques to coerce the user into installing one of several rogue security applications. Poisoned search terms discovered by us include ‘Halloween costumes’, ‘Best Halloween recipes’ and ‘Halloween theme music’, and it’s likely that there are many more where those came from.


Nicolas Falliere | 16 Oct 2009 16:00:11 GMT

Let’s continue our Trojan.Clampi blog series by discussing three more modules downloaded and executed by Clampi. These modules share the common goal of gathering information, private or not, contained on the compromised computer. They don’t intercept network traffic like the Logger module does (described in my previous blog).

The PROT module
This module gathers private information from several sources, including Protected Storage (PStore), which contains user credentials stored by Internet Explorer or Outlook for instance. Interestingly, it also sets specific registry values in order to facilitate the creation of new entries in the PStore.
For instance, it sets the following registry entires:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet...
Hon Lau | 14 Oct 2009 19:43:52 GMT

Over the past few days a sustained email spam campaign has been running to distribute new Zeusbot variants. Initially the campaign kicked off with a story from “your administrator” about some server upgrade that requires you to download and execute a patch to ensure that your computer continues to work properly:
Subject: Important - Read Carefully
Email Body:

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.

This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file
and then to run it from your computer...

Peter Coogan | 14 Oct 2009 19:08:54 GMT

Yesterday a friend of mine sent me a copy of an email he received regarding the renewal of a domain name he owned, which was due to expire. Since the information in the email was correct, he clicked on the renewal link provided. At this point he became dubious of the email—and for good reason. As in most cases like this, at first glance you would find it difficult to spot anything out of the ordinary with this type of email and would simply presume that it was a friendly reminder from your ISP to re-register your domain name.  


When the link provided in the email is clicked (in order to supposedly renew the domain) it brings you to a site where you are presented with a page like the one shown below. Again, there is nothing really out of the ordinary and all appears nice and professional:

Gilou Tenebro | 14 Oct 2009 11:25:26 GMT

Trojan.Bredolab is a threat that has been distributed widely and consistently this year. This research paper takes a closer look at the Trojan to discover how it works, why it’s so widespread, and the motivations behind it.

In short, Bredolab is distributed by spam emails and drive-by-download attacks. (In fact, last month we blogged about a wave of spam emails used to distribute it.) Once it’s on a computer, Bredolab downloads and installs a variety of other threats. This process is outlined in the following diagram.

We have seen Bredolab downloading password stealers, bots, rootkits, backdoors, and misleading applications.  Some...

Joji Hamada | 14 Oct 2009 07:20:12 GMT

Michael Jackson's new song "This Is It" premiered on at midnight on October 12 where fans can listen to it for free. But apparently a 45-second preview of the song leaked onto YouTube the day before.

The spam below has been making rounds to trick folks into accessing the link included in the email to listen to the preview (obviously its not a real email from CNN nor is the ad a real ad from GAP!).

Once the user clicks on the link, the browser opens a page on a site that's believed to be compromised and refreshes to the another site, which appears to be hacked as well, to execute a .hta file that is detected as Downloader.Psyme.

Once the .hta file is executed, a file called AutoCfg.exe (detected as...

Marc Fossi | 13 Oct 2009 19:38:07 GMT

In the fight against cybercrime, cooperation between security industry leaders, law enforcement, and Internet technology providers is becoming ever-more important; case in point, Conficker, which received so much attention earlier this year. To address this threat, the Conficker Working Group—a large-scale collaborative effort among security vendors, law enforcement agencies, and ISPs—was formed with successful results.

This week, technology industry, government, and law enforcement leaders from around the globe have converged upon Microsoft’s Redmond, WA campus for the first-ever meeting of the Digital Crimes Consortium. Symantec is a platinum sponsor of the Digital Crimes Consortium and is partnering with Microsoft on this important initiative. In addition, myself and fellow Symantec Security Technology and Response expert Jeff Wilhelm are presenting on key security topics at the event.

The consortium is intended to be a foundation for building a...

Robert Keith | 13 Oct 2009 19:09:22 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a very heavy month—the vendor is releasing 13 bulletins covering a total of 34 vulnerabilities.

Twenty-one of the issues are rated “Critical” and affect GDI+, Active Template Library (ATL), Media Player, .NET, Silverlight, Internet Explorer, Server Message Block (SMB), and Media Runtime. Most of those are client-side vulnerabilities that require a victim to open a malicious file or visit a malicious page. The SMB issue is a fairly serious server-side vulnerability that was reported early last month.

The remaining issues, rated “Important” and “Moderate,” affect GDI+, Windows Indexing Service, Windows kernel, CryptoAPI, Internet Information Services (IIS), LSASS, and SMB.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while...

Symantec Security Response | 13 Oct 2009 14:35:50 GMT

Malware authors often leave hidden messages in files for analysts to find or for other malware authors to see. However, finding a curse on my whole family in a flash exploit file came as somewhat of a surprise!

The file in question was being distributed on the Internet circa June of this year and was being hosted on some Chinese domains. After decompressing the file and extracting the ActionScript I saw some Chinese characters used within the script. I don’t speak Chinese myself, so I had one of our engineers who does translate the message:

This roughly translates to:

“Dadong declares that: This file is used only for internal technical research, if you decrypt it your whole family will die, if you use it as a part of a Trojan your whole family will die also! If you use this file illegally you take responsibility for all results.”...

Nicolas Falliere | 12 Oct 2009 17:01:37 GMT

As mentioned in our previous blog entry, most of the Trojan.Clampi features reside in separate modules that are sent by a remote server in response to clients’ queries. In this part of this blog series, we’ll have a look at one of the modules used by the malware to steal login credentials mostly from banking Web sites.
This module is codenamed LOGGER by the threat. After decryption, the beginning of the module’s raw data looks like this (compressed):


To avoid downloading the module each time Clampi runs, it is stored in the registry (in an encrypted form) in a value named “Mxx”, where “xx” is a zero-based number...