Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts by Hon Lau remove filter
Showing posts in English remove filter
Introducing Trojan.Badlib: A Malware Distribution Network
Hon Lau | 23 Aug 2011 | 0 comments

Technical analysis: Poul Jensen, Illustrations: Ben Nahorney

It is a given that many malicious software threats seen today will download additional software components to perform various activities. With the transition from malware for fun to profit-driven malware and the connected nature of the computer-using population, it is not unusual to see malware threats download other files onto the compromised computers. While there is much public discussion lately about advanced persistent threats (APT) that also make use of software-downloading techniques to augment their capabilities, there are also other malware threats doing the rounds that are not so concerned about industrial espionage and issues of national security. Perhaps it is because the likes of Trojan.Badlib do not necessarily target these types of high-value information that they may be considered of lesser...

Read more
Are MBR Infections Back in Fashion? (Infographic)
Hon Lau | 08 Aug 2011 | 0 comments

A Master Boot Record (MBR) is an area of the hard disk (usually the first sector) used by a computer to perform start up operations. It is one of the first things to be read and executed by the computer hardware when a computer is powered on, even before the operating system itself. As far as trying to get access to the hardware first, you can’t really beat the MBR for that, with the exception of hardware ROM (BIOS) itself.

MBR infections offer great scope for deep infection and control of computers, which makes the idea attractive to malware creators. Contemporary MBR infection methods are a fairly complex affair and are not an undertaking that can be performed by many malware creators except for more highly skilled individuals. This is probably one reason why after the creators of Trojan.Mebroot rediscovered the...

Read more
The Truth Behind the Shady RAT
Hon Lau | 04 Aug 2011 | 0 comments

McAfee published an interesting report yesterday about what they called Operation Shady RAT, focusing on a series of what some may call “advanced persistent threat” attacks. The attacks were dubbed in some quarters as “one of the largest series of cyber attacks ever.” While quite a bit of data was presented regarding the potential scale of these attacks, details on the threats and how the attacks were staged were somewhat limited.

Based on the information we managed to glean from the report and our own intelligence sources, we have identified the initial attack vectors, the threats used and how the attack was staged. In addition to all this, we have also uncovered what appears to be the same information source about the victims of the attacks that was used by McAfee as the basis of their report. This information is freely available on the attackers’...

Read more
W32.Qakbot - What You Should Know
Hon Lau | 03 Jun 2011 | 0 comments

 

W32.Qakbot is a pretty serious piece of malware that’s been doing the rounds since mid-2009. It is one of a family of threats that are consistently causing trouble, constantly being updated whenever new attack techniques or developments arise.  
 
The threat itself spreads through a number methods; in particular, we have seen it being spread from various websites using old vulnerabilities. Once inside a network, it employs other methods to propagate itself to other computers within the network such as copying itself to removal drives. Qakbot is notorious for stealing information, it collects a wide range of data from infected computers and then uploads it to various FTP accounts. 
 
We recently published a...
Read more
I Don't Use AV Because I Have a Mac
Hon Lau | 31 May 2011 | 0 comments

It seems there is no let up in the recent spate of Mac malware. A few days ago, another group of domains were registered and are being used to support a fake antivirus campaign that not only targets Mac, but also Windows users.

A series of sites were all registered by a Lee Juango who gives an address in "Pekin". However, the Web sites are hosted in Romania. The interesting thing is that these sites look almost exactly the same, with slight text changes depending on if the target is a Mac or a PC.

On the Mac domains, you will get a file called "macprotector.zip" (MacProtector). On the page for Windows, you get a file named “install.exe” (detected as Trojan.Gen/Trojan.FakeAV!gen39). This is actually a copy of...

Read more
Banking by Proxy with Trojan.Tatanarg
Hon Lau | 01 Mar 2011 | 0 comments

Banking Trojans are nothing new. They have been around for many years, considering detections such as the Infostealer.Bancos family date back to 2003. As more and more people moved to perform banking transactions online, Bancos created a huge and lucrative target for would be criminals to exploit.

Traditionally, banking Trojans typically just captured data traffic exchanged between the user and the online banking website. The captured information included the authentication information, which is collected and sent to the attacker by the Trojan for their use or to sell on to other parties for a profit. For as long as there has been banking Trojans, there has been a cat and mouse game between the banks and the criminals as each side respond to each other’s move to thwart the actions of the other. More sophisticated banking Trojans employ a man-in-the-browser (MITB) method...

Read more
Twitter Trend Poisoning Cookbook
Hon Lau | 07 Dec 2010 | 0 comments

We have become familiar enough with malware creators poisoning popular search engine terms through SEO techniques in order to deliver their malicious files to a greater pool of unsuspecting users. Other popular services such as Twitter have not escaped the watchful eyes of the miscreants. This attack involves pumping out many of the same tweets with different accounts to push them into the Twitter trending list. That way more people are likely to see them even if the individual user accounts being used to send the tweets don't have that many followers. Incidentally many of the accounts used in this attack don't have that many followers and are quite fresh - meaning they are probably fake accounts set up specifically for the purpose of spamming tweets.

To carry out this kind of attack, the miscreants are clearly following a tried-and-tested recipe, borrowed from SEO-based attacks and tweaked...

Read more
Fake Disk Cleanup Utilities: The Ruse
Hon Lau | 30 Nov 2010 | 0 comments

We have observed a change of tack by the creators of fake antivirus software (like Trojan.FakeAV). Since the latter parts of October, we have seen a move into the creation of fake hard disk scanners and defragmentation tools. What started as a trickle has now become a steady outpouring, with new clones being released almost daily.

So far we have seen the following names being used by the clones (all detected by Symantec as Trojan.FakeAV, UltraDefragger, or Trojan.FakeAV!gen28):

·         Ultra Defragger

·         Smart Defragmenter

·     ...

Read more
Mergers and Acquisitions in the Malware Space
Hon Lau | 26 Oct 2010 | 0 comments

 

Things are starting to get a little tougher in the botnet world. This year we have witnessed many shutdowns of major botnets and their owners arrested. We have also seen money mules arrested and - more importantly - arrests for the creators of the Trojan creation kits (Mariposa Butterfly toolkit). Clearly everybody in the botnet food chain is beginning to feel pressure these days and as in any business, tough times often trigger the consolidation of operators in the competitive landscape. According to an interesting report by Brian Krebs a couple of days ago, he noted that the Zeus (Zbot) toolkit creator has left (or perhaps sold) his business and the creators of the SpyEye toolkit have now...
Read more
Don’t Let This Email Give Your Computer A Black Eye
Hon Lau | 24 Jun 2010 | 0 comments

We have recently seen some instances of spam email hitting our spam traps with a story about the Brazilian soccer coach Dunga, who was given a black eye by an angry fan last Sunday. The spam email has the following characteristics:
 
Subject: Tecnico Dunga e agredido por Torcedor.
 
Email body: (Translated)

Dunga trading punches with fans, and ends with black eye. The coach of Brazilian national team, Dunga, was hit on Sunday morning by a fan who was angry about not having called Ronaldinho Gaucho and Paul Henry Goose. It happened around 10:00 am yesterday in CT training in Johannesburg in South Africa, Dunga filed a complaint with the police but the accused managed to escape.
 
>> Watch the video released
 

 
The link redirects to:
redyr....

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,916