Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts by Eric Chien remove filter
Showing posts in English remove filter
Duqu: Updated Targeting Information
Eric Chien | 21 Oct 2011 | 0 comments

I wrote Symantec's original blog post describing the discovery of Duqu. In that blog I use the term "industrial control system manufacturers" and (after discussions with a variety of parties) we want to change that term to "industrial industry manufacturers" to more accurately define where Duqu has been found. We already made this change to our paper.

Finding the correct term can sometimes be a challenge. When we first wrote about Stuxnet, we originally used the term SCADA (supervisory control and data acquisition) and quickly discovered the proper term was "industrial control systems". In the computer security industry, we actually have specific definitions of viruses, worms, and trojans, while the general public often refer to any malware as just a virus. (In an unrelated...

Read more
New Symantec Research: The Motivations of Recent Android Malware
Eric Chien | 11 Oct 2011 | 0 comments

For years now, we in the cyber security industry have been saying an explosion of mobile malware is just around the corner. Beginning in earnest this year, we have indeed observed a marked increase in threats targeting mobile devices – particularly the Android platform. However, it’s probably not accurate to say the expected explosion has in fact occurred. The reality is that cybercriminals are still very much in the exploratory phase of figuring out how to monetize the exploitation of mobile devices. This is the topic of Symantec’s latest research. You can read the whitepaper in its entirety here.

Above all else, our analysis highlights how most current efforts to monetize mobile malware have only a low revenue-per-infection ratio. This has severely limited the return on investment achievable by attackers. It also offers detailed insight into the top current mobile malware monetization schemes observed by Symantec,...

Read more
Stuxnet: A Breakthrough
Eric Chien | 12 Nov 2010 | 0 comments

Thanks to some tips from a Dutch Profibus expert who responded to our call for help, we’ve connected a critical piece of the puzzle.

Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.

However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran.  This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.

The target system would potentially look something like the diagram below:

...

Read more
Stuxnet: Target Still Unknown
Eric Chien | 03 Nov 2010 | 0 comments

Since we still haven’t had much success in determining the likely target of Stuxnet, we have decided to release at a high level the behavior of the PLC code. However, we suspect this level of detail while interesting probably still is not enough to identify the potential target.  You can find the additional information starting on page 38 of the latest revision of our paper.

Our previous call for verifiable experts in STL coding that have worked in multiple critical infrastructure industries and coded large STL programs for large industrial control systems in those multiple industries was unsuccessful.  If anyone still wishes to help, they can contact me by clicking on my name at the top to send me a private message.  

Originally this revision would have also described in more detail the remaining Task Scheduler privilege escalation vulnerability, but the vulnerability...

Read more
W32.Stuxnet Dossier
Eric Chien | 30 Sep 2010 | 0 comments

We’re pleased to announce that we’ve compiled the results of many weeks of fast-paced analysis of Stuxnet into a white paper entitled the W32.Stuxnet Dossier. On top of finding elements we described in the ongoing Stuxnet summer blog series, you will find all technical details about the threat’s components and data structures, as well as high level information, including:

  • Attack scenario and timeline
  • Infection statistics
  • Malware architecture
  • Description of all the exported routines
  • Injection techniques and anti-AV
  • The RPC component
  • Propagation methods
  • Command and control feature
  • The PLC infector

The paper is scheduled to be delivered at the Virus Bulletin 2010 conference and can be downloaded...

Read more
Two Arrested in Connection with Zeus Botnet Package
Eric Chien | 18 Nov 2009 | 0 comments

Zeus is a botnet package that allows for the easy creation and command and control of a botnet.  We've discussed Zeus previously in Zeus, King of the Underground Crimeware Toolkits. The main purpose of Zeus is to steal online credentials such as online banking passwords, but it can be configured to steal passwords from any online site. 

Today, the BBC is reporting that police in the UK have arrested two suspects in relation to Zeus. While the details are preliminary, the two likely appear to be users of the Zeus botnet package rather than the actual creators, and thus the prevalence and usage of Zeus is likely to continue.

We've created a research paper providing more in-depth information on Zeus, including how the bot is created, what functionality it has, and additional screenshots on...

Read more
PhoneSnoop: Spying on Blackberry Users
Eric Chien | 28 Oct 2009 | 0 comments

A Blackberry application called PhoneSnoop was released recently, which resulted in an advisory from US-CERT. The application allows remote users to listen in on a Blackberry user’s surroundings.   
 
snoop1.png

The application as seen when installed on a Blackberry

The application is actually quite straightforward and uses standard Blackberry APIs that allow the interception of incoming phone calls. When a call is received from a preconfigured phone number, the call is automatically answered and the speakerphone is engaged. Someone who has had this application installed may not notice the incoming phone call and not realize someone can now listen in on the immediate surroundings.

We’d consider this application just a proof of concept for a variety of reasons, including the author himself...

Read more
Anatomy of a SMSishing Attack
Eric Chien | 22 Jul 2009 | 0 comments

SMS phishing (“SMSishing”) occurs when you receive an SMS message that is purportedly sent from a reputable source, such as your bank, asking for personal details. Although SMSishing first started a few years ago, a couple of recent SMSishing attempts directed at some colleagues of mine provided a good opportunity to document the attack.

The attacks start when attackers use automated services that allow sending many SMS messages at once and send messages such as the following:

FRM:3106******@*********.com
MSG:H*****FCU Notice: Please contact us immediately at 6366******

Or:

FRM:F**
SUBJ:Alert
MSG:F****** Alert. Unusual activity - Call now at 1-(888)3**-****

In the above two cases, the bank names and phone numbers are censored, but the messages typically follow the same pattern of specifying a bank and that there is some type of urgent need for you to contact them. When you call the number you...

Read more
Downadup Motivations
Eric Chien | 23 Mar 2009 | 0 comments

As the April 1 payload delivery date nears for W32.Downadup.C (also known as Conficker) speculation continues on whether the payload will be one big April Fool’s joke, or the equivalent of a cyber Pearl Harbor. While we can’t predict the future with certainty, we can look at the motivations of past Downadup variants to postulate that the payload will likely be something between the two extremes.

The first Downadup variant (.A) provides the best evidence of the motivations of the Downadup authors. In a similar fashion to the recent Downadup variant, Downadup.A had a payload delivery date after its initial release, on December 1, 2008. Downadup.A attempted to download its payload file from hxxp://trafficconverter.biz/4vir/antispyware/loadadv.exe. While Downadup.A was never able to download its payload because the payload site was shut down, the...

Read more
Downadup: Locking Itself Out
Eric Chien | 18 Feb 2009 | 0 comments

Editor’s Note: This is the seventh installment of a multi-part series on specific and interesting aspects of W32.Downadup.


While Downadup’s RPC exploit method of spreading has been highlighted in several recently posted blog articles, the worm spreads via other methods as well. One of the potentially more noticeable methods is through network shares, especially in enterprise environments.

Downadup attempts to copy itself to other machines using the administrative network share (ADMIN$) that exists by default on Microsoft Windows machines. However, copying itself to the share requires authentication. This requirement leads to some...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,898