Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts by Andrea Lelli remove filter
Showing posts in English remove filter
Cracking into the New P2P Variant of Zeusbot/Spyeye
Andrea Lelli | 28 Nov 2011 | 0 comments

Recently, Symantec observed a modified variant of Zeusbot/Spyeye which uses peer-to-peer (P2P) architecture to communicate. The original Zeusbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.)

To overcome these limitations the attackers have now decided to use...

Read more
Bitcoin Infostealer Falls Prey to W32.Induc.A
Andrea Lelli | 19 Jun 2011 | 0 comments

The case about the Bitcoin Infostealer is getting funny: we blogged about a business analysis on Bitcoin Mining, and we also blogged about malware designed to steal bitcoins from unsuspecting users (Infostealer.Coinbit).

Now we have found two more samples of Infostealer.Coinbit that are showing some evolution.

What is interesting about these new samples?

First of all they seem to be from the same author as the previous sample that we blogged about - the binary executables are very similar in structure, and they also have the same strings:

Figure 1...

Read more
Backdoor.Prioxer!inf: “Accidentally” the Stealthiest File Infector Ever!
Andrea Lelli | 15 Mar 2011 | 0 comments

Following the Trojan.Koredos incident, we stumbled upon a very interesting back door Trojan—Backdoor.Prioxer. We received this Trojan from a source that was also infected by Trojan.Koredos, and although we cannot prove a direct link between the two, we believe it is likely that both threats derive from the same source.

You can read more details about Trojan.Koredos in our previous blog entry. Briefly, Koredos is a threat that was used in a targeted attack against several Korean websites. The Trojan shows a modular architecture and a level of sophistication that suggests the attack is coming from a well-established malware source.

Why is Prioxer interesting? Well, at first glance...

Read more
Return from the Dead: Waledac/Storm Botnet Back on the Rise
Andrea Lelli | 12 Jan 2011 | 0 comments

The e-mail spam panorama is definitely showing an interesting trend lately. If you follow the news you may have noticed that a drop in e-mail spam activity was reported in the last couple of months; however, evil is never really defeated, and it is now back with new weaponry. We have already mentioned how a new wave of Waledac (also known as the Storm botnet) is back along with its spam activity since the 1st of January.

The timing of all this does not seem to be coincidental: the drop in spam e-mails began back in October, when the Spamit operation seemed to have shut down for good. This event has been suggested as the cause of the spam drop, together with the...

Read more
Dream Loader: the new bot C&C engine of your dreams
Andrea Lelli | 17 Dec 2010 | 0 comments

We have recently found samples of a new C&C (command-and-control) engine, named Dream Loader, and detected as Trojan.Karagany by Symantec products, that is being used in the wild. The engine comes in a pack that contains both a builder to build your own executable bot, and a Web interface to control all your bots by sending them commands through the Web.

Origins and marketing

The pack, version 0.3, is relatively new and seems to be originating from Russia; it was first found in November and is designed to be modular and load plugins. It has some nice features, although it is not as advanced as other packs, like Zeusbot for example. The pack was being sold for $550 in order to buy the backdoor itself (not the builder) and the Web interface. Every update to the backdoor configuration (e.g. a new url to be used for the C&C server) would require...

Read more
Evolution of SEO Poisoning
Andrea Lelli | 01 Sep 2010 | 0 comments

In previous blogs we have discussed how malware can exploit a search engine’s indexing features in order to spread malicious content. Recently we have observed a massive compromise of websites under the .ch and .nl top-level domains, aimed at performing a massive search engine optimization (SEO) attack to spread fake antivirus applications.

To keep track of pages on the Internet, search engines use automated web scanners, called crawlers or spiders. Their purpose is to find every possible Web page on the net, read its content, and then index it for future user searches. Attackers often try to exploit this feature in order to trick a search engine into associating a malicious Web page with very common...

Read more
W32.Changeup Installing and Running eMule
Andrea Lelli | 13 Aug 2010 | 0 comments

We have seen many threats that use file-sharing applications in order to spread to other computers. Typically these threats would scan a compromised computer for the shared folders of these programs, and if found would copy themselves into those folders mimicking names that are popular in search queries (e.g. popular pirated softwares, games, or cracks).

W32.Changeup does not scan for existing file-sharing applications, but it does do something unusual. It will actually install a well-known application called Emule and use it to share itself, mimicking tens of thousands of file names from popular user searches. Let’s have a closer look.

Infection
Changeup may arrive on a computer in several ways. As we have seen, it may use the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution...

Read more
The Evolution of W32.Ackantta.B@mm
Andrea Lelli | 29 Jul 2010 | 0 comments

The Ackantta mass-mailing worm made its first appearance about a year and a half ago. Since then, it has continued to evolve and update its malicious features. We have recently observed one of the latest samples, from the variant W32.Ackantta.B@mm, which demonstrates very interesting tricks and strategies that greatly improve the worm’s stealthiness and its spreading capabilities.

Main purpose:  advertise

Ackantta does not limit itself to spreading to new computers. The purpose of the worm is to drop and run a copy of Trojan.Mozipowp, a Trojan that specializes in advertising. Mozipowp will hijack major Web browsers (Firefox, Opera, Chrome, Internet Explorer) in order to display targeted advertisements on the compromised computer.

...

Read more
Analysis of a Zero-day Exploit for Adobe Flash and Reader
Andrea Lelli | 08 Jun 2010 | 0 comments

Last weekend, we warned our customers about a Zero-day exploit targeting Adobe Flash and Reader in the wild. The corresponding BID can be seen here. We have updated our antivirus definitions in order to detect this new threat as Trojan.Pidief.J, and we have done an analysis of this new exploit to understand how it works. 

At first glance, the PDF document looks suspicious: it contains a Javascript object and a Flash application. The Javascript is clearly malicious, and has the typical form of heap-spraying code:

 Image 1: Malicious Javascript code...

Read more
The Mebroot and Tidserv Crossover
Andrea Lelli | 04 May 2010 | 0 comments

We’ve been watching new samples of Trojan.Mebroot in recent weeks and something unusual has caught our eyes. While analysing one of these samples I noticed that the installation phase was different from what we have seen in the past—the main executable injected itself into the standard spoolsv.exe process by adding itself as a print processor, then it loaded its driver in the kernel in a two-stage unpacking process.

Wait, haven’t we seen this already? Yes—in Backdoor.Tidserv!

Initially I just thought I was looking at the wrong executable, but after a closer look, the payload definitely looked like Mebroot. It seems that its authors took the installation process from Tidserv, and the similarities are not limited just to that. In the screenshot below, Mebroot is...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,791