Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Nicolas Falliere | 23 Aug 2007 07:00:00 GMT | 0 comments

The latest variants of Peacomm, detected as Trojan.Peacomm.C (or proactively, as the usual Trojan.Packed.13), have introduced some interesting changes in the way they infect a machine.

As was written in a previous blog entry ,Peacomm spam entices users to visit a Web page containing a link to afile applet.exe. This Web page also embeds an obfuscated JavaScriptroutine that tries to exploit a Windows Media Player vulnerability, incase the user decided – very wisely – not to download and run the socalled “Secure Login Applet”. If the vulnerability is exploitedsuccessfully, a small file will be downloaded on the compromisedmachine, which will in turn download applet.exe. Both files aredetected as Trojan.Packed.13.


Ken Gonzalez | 23 Aug 2007 07:00:00 GMT | 0 comments

Over the past twenty-some years, ITIL® (IT Infrastructure Library) has gone from just another good idea to the development of a major movement within the IT universe. The version that most people know today as ITIL (often referred to as ITIL v2), is defined within the two Office of Government Commerce (OGC, U.K.) publications – Service Delivery (the “Red book”) and Service Support (the “Blue book”). In these publications the 10 core ITIL processes and Service Desk functions are described in (more or less) self-contained blocks. In this world, things were relatively simple. Process areas roughly mapped on to how many organizations could structure their job roles and thus make parts of the framework operational relatively quickly. As a result, many organizations adopted ITIL as their framework of choice and in a very real...

Nicolas Falliere | 22 Aug 2007 07:00:00 GMT | 0 comments

Trojan.Packed.13,or TP13 as we call it internally, is associated with some of the mostwidespread malware in 2007. Though its heuristic detection may beobscure, its related threats are now well-known: Trojan.Mespam,Trojan.Galapoper, and more importantly, the infamous Trojan.Peacommfamily of P2P malware.

Simply put, it consists of a set of heuristics to detect Trojansprotected with an unknown packer. We didn’t have a name, so we gave itthe number 13… Bad luck, perhaps, either for us or its authors.

This packer has several features that differentiate it from others.It is widespread, very frequently updated, and uses originalanti-emulation tricks to fool anti-virus software detections (such asdummy loops calling obscure Windows APIs). The packer is not publiclyavailable and we analyze it indirectly through threats that use it.Malicious files are usually repacked...

Yazan Gable | 22 Aug 2007 07:00:00 GMT | 0 comments

Code Red, Nimda, and Slammer (also known as SQL Slammer) are three of the most well known computer worms in the relatively short history of computers. Well known not because of their creatively selected names, but because of the massive impact they had on a widely used Internet. They weren’t the first worms to threaten the fabric of the Internet, but they hit at a time when the Internet was becoming very popular. It was a time when it was beginning to be widely used not only by governments and educational institutions, but also by people, corporations and non-profit organizations alike for communications and business.

Everyone who commonly used a computer when these malicious worms hit the Internet will remember them. Not only did they take down a number of government, corporate, and educational networks, but some of those not directly affected voluntarily shut down their networks as a precaution. But how were these things so effective and wide-ranging? How...

Hon Lau | 21 Aug 2007 07:00:00 GMT | 0 comments

Ever since the first Trojan.Peacomm, samples literally blew in from nowhere back in January 2007.Since then, the gang responsible have been constantly evolving theirTrojan with new features, new packers, and new techniques for spreadingit.

The thing that can be noted about the Peacomm gang is that they arevery much adept at the art of social engineering. The original Trojanwas propagated widely on the back of a story about a violent storm thatblew across Europe and hence the moniker. Since then the gang behindthe Trojan have explored all different manners of social engineeringavenues and subjects.

In particular they had a knack for latching on to the latestnews-worthy events and capitalizing on the public interest in them...

Vikram Thakur | 21 Aug 2007 07:00:00 GMT | 0 comments

We recently analyzed a sample of Infostealer.Monstres, and our colleague Amado posted an interesting entrywith some details of its actions. As the analysis of this threatcontinued, new details emerged. We've been able to acquire some emailtemplates that the Trojan may use to send targeted spam to individuals,using stolen personal information.

The templates acquired all point to the same position. The job isthat of a 'Transfer Manager' at an investment company. The jobdescription states that the position would entail facilitatingfinancial transactions made by the clients of the investment company.The email looks very realistic and may convince many that it has beensent from or

Here are some of the email...

Liam O Murchu | 20 Aug 2007 07:00:00 GMT | 0 comments

It’s the universal come back. No matter what insult is thrown your way, you can always escape just by saying “your momma” *.So I had to laugh when we received a variant of an MSN worm thatentices would be victims with “lol, your mom just sent me thispicture?” Even funnier was the fact that the bot operator infectedhimself with his own worm.

This variant of the worm has been named W32.Scrimge.E. The worm isn’t restricted to just the one question, either, offering up any one of these goodies:

- Did you take this picture?
- Is that you on the left?
- How drunk was I in this picture?
- Is that your mom in this picture?
- lol, your mom just sent me this picture?

It was “your mom,” however, that...

Shunichi Imano | 18 Aug 2007 07:00:00 GMT | 0 comments

We have in the past repeatedly warned thatfree things on the internet do not always come cost free. And today, wehave to make a kind reminder as we came across a new example.

Security Response received a file with a .tgz file extension, whichexploits a new unknown vulnerability in a free Japanese decompress tool"Lhaz v1.33". The file is detected as Trojan.Lazdropper.

After a successful exploit attempt, Trojan.Lazdropper drops two files, both detected as Backdoor.Trojan,onto the infected computer. As Backdoor.Trojan opens a back door tocommunicate with the author for further actions, it is obvious thatpurpose behind...

Amado Hidalgo | 17 Aug 2007 07:00:00 GMT | 0 comments

Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres,which was attempting to access the online recruitment Web site, It was also uploading data to a remote server. When weaccessed this remote server, we found over 1.6 million entries withpersonal information belonging to several hundred thousand people. Wewere very surprised that this low profile Trojan could have attacked somany people, so we decided to investigate how the data could have beenobtained.

Interestingly, only connections to the subdomains were being made. These subdomainsbelong to the “Monster for employers” only site, the section used byrecruiters and human resources personnel to search for potentialcandidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on...

Peter Ferrie | 17 Aug 2007 07:00:00 GMT | 0 comments

After the success of the W97.Melissa virus in 1999, mass-mailing became the next big thing in viruses. This trend continues even today. Different methods have been tried over the time, but they fall mainly into two categories: exploits and social engineering.

Perhaps the most successful example of social engineering came on May 4, 2000 when VBS.LoveLetter called inboxes everywhere just to say “ILOVEYOU". At that time, curiosity easily outweighed security, especially with such a provocative subject line. Many people opened the email and then clicked on the attachment named "LOVE-LETTER-FOR-YOU.TXT[.vbs]" (the .vbs part being hidden by default on many systems). The resulting mess spread across the world during that same day, and...