Security Response

Recently, Symantec observed a modified variant of Zeusbot/Spyeye which uses peer-to-peer (P2P) architecture to communicate. The original Zeusbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.)

To overcome these limitations the attackers have now decided to use...

The case about the Bitcoin Infostealer is getting funny: we blogged about a business analysis on Bitcoin Mining, and we also blogged about malware designed to steal bitcoins from unsuspecting users (Infostealer.Coinbit).

Now we have found two more samples of Infostealer.Coinbit that are showing some evolution.

What is interesting about these new samples?

First of all they seem to be from the same author as the previous sample that we blogged about - the binary executables are very similar in structure, and they also have the same strings:

Figure 1...

Following the Trojan.Koredos incident, we stumbled upon a very interesting back door Trojan—Backdoor.Prioxer. We received this Trojan from a source that was also infected by Trojan.Koredos, and although we cannot prove a direct link between the two, we believe it is likely that both threats derive from the same source.

You can read more details about Trojan.Koredos in our previous blog entry. Briefly, Koredos is a threat that was used in a targeted attack against several Korean websites. The Trojan shows a modular architecture and a level of sophistication that suggests the attack is coming from a well-established malware source.

Why is Prioxer interesting? Well, at first glance...

The e-mail spam panorama is definitely showing an interesting trend lately. If you follow the news you may have noticed that a drop in e-mail spam activity was reported in the last couple of months; however, evil is never really defeated, and it is now back with new weaponry. We have already mentioned how a new wave of Waledac (also known as the Storm botnet) is back along with its spam activity since the 1st of January.

The timing of all this does not seem to be coincidental: the drop in spam e-mails began back in October, when the Spamit operation seemed to have shut down for good. This event has been suggested as the cause of the spam drop, together with the...