Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for October of 2010
Showing posts in English
Masaki Suenaga | 01 Nov 2010 05:25:39 GMT

As my colleague Kazumasa Itabashi outlined in this blog, TrojanZbot.B, a.k.a. Zeus Botnet, attempts to download files from URLs with random-looking domain names generated by the Trojan based on the system time.

When it accesses these domains with a path of /news/?s=[NUMBER], it downloads a configuration file, which is also digitally signed. The downloaded file looks like this:

Because the configuration file is encrypted, we have to decrypt it by applying RC4 followed by XOR-ing byte-wise from bottom to top with each preceding byte. Once the decryption and de-obfuscation has been applied we can now see a little more clearly the contents of the...

Mayur Kulkarni | 28 Oct 2010 22:57:10 GMT

Symantec has come across a spam campaign for an Indian stock, perhaps for the first time. As usually seen in typical stock spam message, this particular email claims that the stock price for this company will rise by 500% because of a possible buyout or partnership with an American outsourcing company and it urges recipients to buy the stocks quickly.

Subject lines for these spam attacks are:

Indian shares with 800.% gain potential

Best indian stock on the nse market

India's most secret pennystock

This is definitely an attempt to influence the stock price of a publicly traded company. These exaggerated profits with little investment shown in the spam message may tempt users, especially with Diwali occurring, to use the opportunity to earn quick bucks. However, users need to understand that such promotions are meant to artificially increase the stock price, albeit...

Suyog Sainkar | 28 Oct 2010 16:56:39 GMT

Symantec observed that dating spam messages and spam messages distributing malware were most prevalent in the recent past. These spam messages dominated the list of top 10 spam subject lines in the past 30 days.

Subject lines:

·         Katya 21y.o, new message for you

·         Julia 22y.o, new message for you.

·         hello

·         Blank subject line

·         LinkedIn Messages, 9/30/2010

·         LinkedIn Alert

·         Re: CV

·         hi!

·         LinkedIn new messages


Samir_Patil | 28 Oct 2010 16:30:37 GMT

Diwali is a “Festival of Lights” celebrated across India between late October and early November. This year, Diwali will be celebrated from November 3rd to November 7th.  It is symbolic of a ‘new beginning’,  the victory of light over darkness, good over evil, and the welcoming of Lakshmi, the goddess of wealth and prosperity. Therefore, it is a grand celebration. The inner joy and liberation that one feels is articulated in a myriad of expressions: preparation of delicious sweets, entertainment, lighting crackers, decorations, visiting loved ones, and exchanging gifts.

Traditionally, Diwali is also an auspicious time ‘to buy’ and ‘to spend’. Discounts and special offers decorate the walls of every mall and shop and even online shopping Web sites. This is the best opportunity for spammers who don’t blink twice in exploiting such revelry.  We are already observing considerable spam volume exploiting...

Jeet Morparia | 28 Oct 2010 09:49:28 GMT

Recently Symantec Security Response analyzed a Trojan that uses social networking vectors to infect users on multiple platforms. Virus writers have often used this technique to entice unsuspecting users to click on a malicious link, which may result in download and execution of threats onto the user’s “PC”(one example being W32.Koobface). I say “PC”because in the computer world, PC is synonymous with Windows computers and they are often the target platform for virus writers for various reasons. But, the popularity of other operating systems, for example Mac OSX, has captured the attention of malware writers. They are constantly trying to expand their scope beyond Windows and maximize their infection base by infecting other popular operating systems.

This particular Trojan (that Symantec detects as...

Karthik Selvaraj | 28 Oct 2010 07:28:50 GMT

This is a follow up to the Limited Firefox Zero-Day Attack in the Wild blog posted by my colleague Joji Hamada.

The exploit of the Mozilla Firefox 3.5/3.6 Remote Heap Buffer Overflow Vulnerability (BID 44425) uses a series of heap sprayed ROP gadgets (return-oriented programming) using code in xul.dll to bypass Data Execution Prevention (DEP). These ROP gadgets were only used to relocate and execute the shellcode in read, write, and executable memory no longer subject to DEP. It is noteworthy that the xul.dll module has ASLR enabled in supported operating systems like Windows Vista and Windows 7, which prevents this threat from running in those platforms.

To drop the malware onto an unsuspecting victim’s computer, this exploit employs a little trick: The malicious executable to be dropped onto the...

Joji Hamada | 27 Oct 2010 06:25:27 GMT

Earlier today, Mozilla confirmed on its blog that an unpatched vulnerability exists in Firefox 3.5 and 3.6.

Unfortunately code exploiting the vulnerability is out in the wild. It has been reported that the website for the Nobel Peace Prize was compromised to host the exploit code. Symantec detects the malicious file that is dropped to the %Windir%\Temp folder when the exploit code is succesfully run as Backdoor.Belmoo. Funnily enough, the name of this file is "symantec.exe". The file attempts to connect to remote domains that are hosted in Taiwan and when successful, it opens a command shell to start a connection. This allows the attacker to send commands and pretty much perform anything on the compromised computer as if s/he is sitting...

Hon Lau | 26 Oct 2010 15:56:59 GMT
Things are starting to get a little tougher in the botnet world. This year we have witnessed many shutdowns of major botnets and their owners arrested. We have also seen money mules arrested and - more importantly - arrests for the creators of the Trojan creation kits (Mariposa Butterfly toolkit). Clearly everybody in the botnet food chain is beginning to feel pressure these days and as in any business, tough times often trigger the consolidation of operators in the competitive landscape. According to an interesting report by Brian Krebs a couple of days ago, he noted that the Zeus (Zbot) toolkit creator has left (or perhaps sold) his business and the creators of the SpyEye toolkit have...
Shunichi Imano | 22 Oct 2010 10:30:02 GMT

Zbot, otherwise known as the Zeus botnet, has been around for a quite a while and has been called the "King of Bots"; it has infected millions of computers worldwide. The Zbot construction kit is on-sale and widely available in the underground community. Other botnet kits are also being sold and are challenging Zbot peddlers. This means that the Zbot authors have no choice but to update the construction kits to accommodate the needs of their criminal client base to stay ahead of their rivals and hold on to the title of the King of the Bots, the result of which appears to be samples discovered recently that Symantec detects as Trojan.Zbot.B and Trojan.Zbot.B!inf.

Candid Wueest | 21 Oct 2010 21:06:15 GMT

According to a recent article in the Wall Street Journal, many of the popular Facebook applications—such as social games—record the Facebook user ID and share them with third-party companies. This issue obviously affects millions of Facebook users who regularly use Facebook applications.

The applications’ behavior is clearly against the Facebook rules for application designers, but unfortunately there is no good way to enforce the policies, since the information is transmitted to remote servers in order for the application to process it. If the application stores a user ID, together with a usage profile for later analysis, it is completely outside of the reach of Facebook. Basically, once the application receives the information, they can control and decide what they want to do with it. Earlier today, Facebook posted a...