Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts by Gavin O Gorman remove filter
Showing posts in English remove filter
Backdoor.R2D2: The Long Arm of the Law?
Gavin O Gorman | 09 Oct 2011 | 0 comments

On October 9th a German hacker group going by the name of the Chaos Computer Club (CCC) published an analysis of what they claim to be government spying software. The analysis is a 20 page PDF file describing how the software works. In addition, CCC made available a copy of the software on their website in the form of a .dll file and a .sys file (driver file). The CCC has not offered any proof of their claims that these are government affiliated samples.

Symantec has performed an initial analysis on the samples and has confirmed much of the functionality as described in the CCC document. The samples are malware--which Symantec detects as Backdoor.R2D2--that opens a back door allowing a remote attacker to access the compromised computer.

The back door .dll file, mfc42ul.dll, monitors chat and VOIP applications and is able to intercept status changes in the software, such as an incoming or outgoing call. It...

Read more
Xpaj Botnet Intercepts up to 87 Million Searches per Year
Gavin O Gorman | 26 Aug 2011 | 0 comments

W32.Xpaj.B is one of the most complex and sophisticated file infectors Symantec has encountered. In an older blog post, Piotr Krysiuk calls it an “upper crust file infector.” He describes several different approaches that the infector uses to increase the difficulty in detecting infected samples. The techniques W32.Xpaj.B uses to conceal itself within an executable are far beyond the norm. Given this level of complexity, it was decided to analyze the threat in detail.

The analysis revealed IP addresses for the command & control (C&C) servers. Infected W32.Xpaj.B executables send a download request to these C&C servers. Analysis of the threat’s backend control infrastructure...

Read more
Super Mario brought to you by... Slice Factory?
Gavin O Gorman | 31 May 2011 | 0 comments

There has been some recent online discussion about games from the Chrome Web Store requesting excessive permissions. These games are extensions for Google Chrome. To access various aspects of Chrome, certain permissions are required; for example, to allow access to the Bookmark manager to update bookmarks. The “Super Mario 2” app is offered by the developer “chromitude”, which is associated with Slice Factory, a company that develops services and browser extensions to remix Web data. The extension requests permissions which seem excessive for simply playing a game. These permissions are:

·         Access to bookmarks

·          Notification of  new tabs being created

·         Access to all URLs

To determine why these permissions are required for the game and what the extension...

Read more
Rampant Ransomware
Gavin O Gorman | 13 Jan 2011 | 0 comments

Contemporary viruses are written to make money. They achieve this through extortion, information theft, and fraud. Threats that use extortion can be some of the most aggressive and, in some cases, offensive viruses encountered. These viruses are generally referred to as ransomware. This blog discusses some of the nastiest variants that have been encountered so far.

In your face!
Whilst by its nature ransomware is not subtle, certain variants are very obvious in their approach. They use a combination of shock and embarrassment in order to extort money from people. The most recent example of this is Trojan.Ransomlock.F. The Trojan.Ransomlock family is a particular type of ransomware, which locks a user’s desktop. Once the desktop has been locked, it is then no longer possible to use the computer as normal. To restore access to the desktop, one typically...

Read more
Catching Flies with Honey
Gavin O Gorman | 30 Aug 2010 | 0 comments

Symantec often utilizes honeypots to acquire new samples and observe attacks in the wild. Many threats encountered on honeypots are related to botnets. However, on a rare occasion a honeypot may encounter a targeted attack. In these cases the attacker is after a specific entity, be it a person, corporation, government, or any other such body. When a computer is compromised by such a threat, the behavior can be similar to a bot, connecting to a command and control (C&C) server and awaiting commands. However, the commands received are usually not generic. They are interactive, with the attacker seeking some specific information in real-time.

 We recently encountered one of many such targeted threats on a basic honeypot and logged the activity. The attack was quite straightforward and did not utilize any new techniques. Nonetheless it is a good example of the processes such attackers use. This particular threat was targeting a corporate entity, using a tailored PDF...

Read more
Google Groups Trojan
Gavin O Gorman | 11 Sep 2009 | 0 comments

Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. Recent developments have included the utilization of Web 2.0 social networking websites to deliver commands. By integrating C&C messages into valid communications, it becomes increasingly difficult to identify and shut down such sources. It's a concept very similar to that of chaffing and winnowing. Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec has detected....

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,921