Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Nicolas Falliere | 22 Aug 2007 07:00:00 GMT | 0 comments

Trojan.Packed.13,or TP13 as we call it internally, is associated with some of the mostwidespread malware in 2007. Though its heuristic detection may beobscure, its related threats are now well-known: Trojan.Mespam,Trojan.Galapoper, and more importantly, the infamous Trojan.Peacommfamily of P2P malware.

Simply put, it consists of a set of heuristics to detect Trojansprotected with an unknown packer. We didn’t have a name, so we gave itthe number 13… Bad luck, perhaps, either for us or its authors.

This packer has several features that differentiate it from others.It is widespread, very frequently updated, and uses originalanti-emulation tricks to fool anti-virus software detections (such asdummy loops calling obscure Windows APIs). The packer is not publiclyavailable and we analyze it indirectly through threats that use it.Malicious files are usually repacked...

Yazan Gable | 22 Aug 2007 07:00:00 GMT | 0 comments

Code Red, Nimda, and Slammer (also known as SQL Slammer) are three of the most well known computer worms in the relatively short history of computers. Well known not because of their creatively selected names, but because of the massive impact they had on a widely used Internet. They weren’t the first worms to threaten the fabric of the Internet, but they hit at a time when the Internet was becoming very popular. It was a time when it was beginning to be widely used not only by governments and educational institutions, but also by people, corporations and non-profit organizations alike for communications and business.

Everyone who commonly used a computer when these malicious worms hit the Internet will remember them. Not only did they take down a number of government, corporate, and educational networks, but some of those not directly affected voluntarily shut down their networks as a precaution. But how were these things so effective and wide-ranging? How...

Hon Lau | 21 Aug 2007 07:00:00 GMT | 0 comments

Ever since the first Trojan.Peacomm, samples literally blew in from nowhere back in January 2007.Since then, the gang responsible have been constantly evolving theirTrojan with new features, new packers, and new techniques for spreadingit.

The thing that can be noted about the Peacomm gang is that they arevery much adept at the art of social engineering. The original Trojanwas propagated widely on the back of a story about a violent storm thatblew across Europe and hence the moniker. Since then the gang behindthe Trojan have explored all different manners of social engineeringavenues and subjects.

In particular they had a knack for latching on to the latestnews-worthy events and capitalizing on the public interest in them...

Vikram Thakur | 21 Aug 2007 07:00:00 GMT | 0 comments

We recently analyzed a sample of Infostealer.Monstres, and our colleague Amado posted an interesting entrywith some details of its actions. As the analysis of this threatcontinued, new details emerged. We've been able to acquire some emailtemplates that the Trojan may use to send targeted spam to individuals,using stolen personal information.

The templates acquired all point to the same position. The job isthat of a 'Transfer Manager' at an investment company. The jobdescription states that the position would entail facilitatingfinancial transactions made by the clients of the investment company.The email looks very realistic and may convince many that it has beensent from Monster.com or Careerbuilder.com.

Here are some of the email...

Liam O Murchu | 20 Aug 2007 07:00:00 GMT | 0 comments

It’s the universal come back. No matter what insult is thrown your way, you can always escape just by saying “your momma” *.So I had to laugh when we received a variant of an MSN worm thatentices would be victims with “lol, your mom just sent me thispicture?” Even funnier was the fact that the bot operator infectedhimself with his own worm.

This variant of the worm has been named W32.Scrimge.E. The worm isn’t restricted to just the one question, either, offering up any one of these goodies:


- Did you take this picture?
- Is that you on the left?
- How drunk was I in this picture?
- Is that your mom in this picture?
- lol, your mom just sent me this picture?


It was “your mom,” however, that...

Shunichi Imano | 18 Aug 2007 07:00:00 GMT | 0 comments

We have in the past repeatedly warned thatfree things on the internet do not always come cost free. And today, wehave to make a kind reminder as we came across a new example.

Security Response received a file with a .tgz file extension, whichexploits a new unknown vulnerability in a free Japanese decompress tool"Lhaz v1.33". The file is detected as Trojan.Lazdropper.

After a successful exploit attempt, Trojan.Lazdropper drops two files, both detected as Backdoor.Trojan,onto the infected computer. As Backdoor.Trojan opens a back door tocommunicate with the author for further actions, it is obvious thatpurpose behind...

Amado Hidalgo | 17 Aug 2007 07:00:00 GMT | 0 comments

Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres,which was attempting to access the online recruitment Web site,Monster.com. It was also uploading data to a remote server. When weaccessed this remote server, we found over 1.6 million entries withpersonal information belonging to several hundred thousand people. Wewere very surprised that this low profile Trojan could have attacked somany people, so we decided to investigate how the data could have beenobtained.

Interestingly, only connections to the hiring.monster.com andrecruiter.monster.com subdomains were being made. These subdomainsbelong to the “Monster for employers” only site, the section used byrecruiters and human resources personnel to search for potentialcandidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on...

Peter Ferrie | 17 Aug 2007 07:00:00 GMT | 0 comments

After the success of the W97.Melissa virus in 1999, mass-mailing became the next big thing in viruses. This trend continues even today. Different methods have been tried over the time, but they fall mainly into two categories: exploits and social engineering.

Perhaps the most successful example of social engineering came on May 4, 2000 when VBS.LoveLetter called inboxes everywhere just to say “ILOVEYOU". At that time, curiosity easily outweighed security, especially with such a provocative subject line. Many people opened the email and then clicked on the attachment named "LOVE-LETTER-FOR-YOU.TXT[.vbs]" (the .vbs part being hidden by default on many systems). The resulting mess spread across the world during that same day, and...

Parveen Vashishtha | 16 Aug 2007 07:00:00 GMT | 0 comments

In our previous analysis we discussed ‘What is Mpack and how it works.’ We had reviewed MPackversion 0.84 in our previous blog; this time we will compare it with an updated version, MPack v 0.91.

1. The exploits include the existing ones present in v0.84. The list of exploits is present at the end of this blog.

2. There have been some changes to the management and reporting interface. A new file, admin.php, is introduced and stats.php has been removed.

The developers of the toolkit have provided admin.php for secure control and configuration of the Mpack installation. The Mpack owner can set username and password protection by using settings.php. There have been changes in the user interface, cosmetic changes such as better styles used to view, and a copyright logo: (c) 2007 DreamCoders– Logo.

MPack...

Candid Wueest | 16 Aug 2007 07:00:00 GMT | 0 comments

Well, we all know that playing games can influence your real life,even if it’s just the lack of sleep you get from spending whole nightsplaying online games. But there’s more to it. There are several crucialpoints that have to be considered when running around virtual fieldswith your character. Unfortunately, as in life, some people don't playby the rules.

Sometimes those virtual worlds are not as peaceful as one mightthink or hope. You, or more precisely your avatar, might getblackmailed for protection money or bullied by others. Destruction ofvirtual goods can happen if you don’t pay. The discovery of weapons ofmass destruction in Second Life confirms this point. (Yes, they doexist; search for “Jessie Massacre” if you don’t believe it.)

But, there are other entrapments to watch out for. We already reported on gold farming and the problem with in-game spam in a...