Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts by Gilou Tenebro remove filter
Taking a Closer Look at Trojan.Bredolab
Gilou Tenebro | 14 Oct 2009 | 0 comments

Trojan.Bredolab is a threat that has been distributed widely and consistently this year. This research paper takes a closer look at the Trojan to discover how it works, why it’s so widespread, and the motivations behind it.

In short, Bredolab is distributed by spam emails and drive-by-download attacks. (In fact, last month we blogged about a wave of spam emails used to distribute it.) Once it’s on a computer, Bredolab downloads and installs a variety of other threats. This process is outlined in the following diagram.
 
bredo_attacks_BN.jpg

We have seen Bredolab downloading password stealers, bots, rootkits, backdoors,...

Read more
A Paper on Waledac
Gilou Tenebro | 01 Sep 2009 | 0 comments

Over the past few weeks a series of blog entries were published about W32.Waledac:

Waledac – an Overview

Waledac, Part 2: Its Bootstraps and Armor

Waledac, Part 3: A Spammer, Downloader, and Infostealer – Among Other Things

If you are interested you can download a Waledac paper, posted here, which presents information on Waledac’s functionalities, possible origins, spam campaigns, and protection mechanisms. There is also more detail on Waledac’s communication protocol and task messages. The paper is based on a blog series and a threat...

Read more
Waledac, Part 3: A Spammer, Downloader, and Infostealer—Among Other Things
Gilou Tenebro | 24 Aug 2009 | 0 comments

In my previous post, I covered Waledac’s bootstrap mechanisms, armoring methods, and some parts of its communication protocol. Today, I will continue to discuss its communication protocol and how it implements its main functionalities through command-and-control (C&C) messages. I will describe its various tasks and commands, how it downloads components or updates, how it constructs its spam, and lastly how it acts as an infostealer.


Types of task messages

As I mentioned last time, W32.Waledac currently uses nine types of task messages. These messages are mainly used by the malware to distribute spam templates or word lists for its spam campaigns, to send...

Read more
Waledac, Part 2: Its Bootstraps and Armor
Gilou Tenebro | 14 Aug 2009 | 0 comments

In a previous post I provided an overview of W32.Waledac’s functionalities, tactics, origin, and connections. This time, I will discuss more on the bootstrap mechanisms and armoring techniques used by Waledac in order to sustain and protect itself.


Installation

When a Waledac executable is installed, it turns the compromised system into a zombie and acts as an agent for the botnet. It creates a window named  fhfhkjfhwefkwj and registers itself with a class name jfkljfilfj23fi32io. As a self-starting mechanism, it also adds any of the following entry in the registry so that it can run whenever Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”PromoReg” = “[PATH TO EXECUTABLE]”

Or:



HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”PromoReg” = “[...
Read more
Waledac—an Overview
Gilou Tenebro | 20 Jul 2009 | 0 comments

A few weeks ago, while most people were busy preparing for 4th of July celebrations and looking forward to a long weekend, W32.Waledac launched a new spam campaign. The links in the spam emails led to a website claiming to contain a fireworks video. We have previously seen this malware use popular holidays such as Christmas and Valentine’s Day, so it is not really surprising that it would use Independence Day as well. A screenshot of the 4th of July Waledac website is shown below:

imagebrowser image

Figure 1. Screenshot of W32.Waledac's 4th of July website

In this blog post I will give an overview of...

Read more
Waledac July Campaign
Gilou Tenebro | 03 Jul 2009 | 0 comments

W32.Waledac has launched a new spam campaign using a 4th of July theme. Below are some screenshots of sample spam emails with the new theme.

imagebrowser image

imagebrowser image

imagebrowser image

If the unsuspecting user clicks the link in the email, they will be directed to a Web page similar to the following:

imagebrowser image

The page claims to contain a video of a fireworks show for this year’s 4th of July celebration. However, clicking on the "video" actually leads to a W32.Waledac executable. Watch out for spam containing any of the following strings in...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,893