Security Response
Robert Keith
|
February 9th, 2010
Hello and welcome to this month’s blog on the Microsoft patch releases. This is a busy month—the vendor is releasing 13 bulletins covering a total of 26 vulnerabilities.
Eight of the issues are rated “Critical” and affect SMB Server, SMB Client, Windows, and Data Analyzer ActiveX control. An attacker could exploit the SMB Server issues remotely to gain complete control of an affected computer. However, to exploit the SMB Client issues to compromise a computer, the attacker must first entice a victim to connect to a malicious server.
The remaining issues, rated “Important” and “Moderate,” affect SMB Server, Windows, Windows Kernel, Office, PowerPoint, and Paint. Although the kernel issues are rated only “Important” by Microsoft, we consider them to be a high security risk because exploit code already exists for one of the issues.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software...
0 comments
Mayur Kulkarni
|
February 5th, 2010
It’s almost like the age-old marketing strategy: put up a sale and offer huge discounts to draw customers. But, while doing so, retailers will make sure to use the “limited time offer” tactic. There is cause for worry, because spammers are following suit.
The spammers mislead recipients with false news that a law (the “Internet Pharmaceutical Law”) will take effect in a few days. After the so-called law is in place, it is purported that medicines that require a prescription won’t be available online without a doctor’s consent. Therefore, users are told that they should immediately place a pharmaceutical order using the provided website. With respect to the marketing strategy, spammers are creating an imaginary situation to hustle panicky recipients into buying medicines from their websites.
A sample message:
Symantec has already observed similar spam attacks adopting the same deadline game. As shown below in the sample image, the...
0 comments
Peter Coogan
|
February 4th, 2010
The Zeus crimeware toolkit has been around now for a while and has grown over time to be the most established crimeware toolkit in the underground economy. In late December 2009 a new crimeware toolkit emanating from Russia—known as SpyEye V1.0—started to appear for sale on Russian underground forums. Retailing at $500, it is looking to take a chunk of the Zeus crimeware toolkit market. Symantec detects this threat as Trojan.Spyeye. Since it is relatively new, we are not seeing a lot of SpyEye activity yet. However, given some time and the observed rate of development for this crimeware toolkit, SpyEye could be a future contender for king of the crimeware toolkits.
The SpyEye toolkit is similar to Zeus in a lot of ways. It contains a builder module for creating the Trojan bot executable with config file and a Web control panel for command and control (C&C) of a bot net. Some of the advertised features online are:...
Emerging Threats, Emerging Threats, Malicious Code, Malicious Code, Security, Security Response, Endpoint Protection (AntiVirus)
0 comments
Livian Ge
|
February 3rd, 2010
Trojan.Hydraq是一个利用Internet Explorer远程代码执行漏洞(CVE-2010-0249,俗称“Aurora”)及Adobe Acrobat Reader、Flash Player远程代码执行漏洞(CVE-2009-1862)进行传播的木马。该木马会在被攻击的计算机中打开后门来执行以下操作:
调整计算机权限;查阅、控制系统进程和服务;
下载文件mdm.exe到%Temp%\并执行;
修改系统注册表,删除系统日志;
窃取包括IP地址、计算机名及硬件信息等计算机信息。
该木马还包括了基于VNC(Virtual Network Computing)代码的组件,使得攻击者能够以视频方式查看被攻击计算机的实时桌面信息。同时,该木马会与yahooo.8[removed]6.org, sl1.h[removed]elinux.org等网站进行通信,从这些网站获取命令并执行。
Trojan.Hydraq的传播方式主要是向攻击目标发送带有恶意文档附件或恶意URL链接的电子邮件。如果用户使用相应的应用程序打开这些文档或者点击这些链接,就会遭到该木马的攻击。因此,我们建议用户不要轻易打开不明来历的邮件附件或点击其中的不明链接,并且及时为应用软件和操作系统安装补丁程序,将其更新至最新版本。同时,请及时升级您的赛门铁克安全软件,使您的计算机远离该病毒的威胁。
Malicious Code, Malicious Code, Security, Vulnerabilities & Exploits, Vulnerabilities & Exploits, Security Response, Endpoint Protection (AntiVirus)
0 comments
Mathew Maniyara
|
February 3rd, 2010
Symantec has observed a new trend in phishing in which the phishing Web page contains pornographic content. The phishing site states that the end user can obtain free pornography after logging in or signing up. These offers tempt users into entering their credentials in the hopes of obtaining pornography.
The attackers use several offers of pornography as bait. Some of the offers are adult chat, social networking with adult personals for sexual favors, blogs with free pornography, and so on. The screenshot below is an example of a phishing website using a leading information services brand. The site states that they provide email alerts for sex parties:
In January, new phishing attacks such as the above example continued to be observed abusing legitimate brands. The phishing pages were created using free Web hosting sites. Upon entering login credentials, the site redirects to a pornographic website that then leads to a fake antivirus website containing malicious code. To learn more...
Online Fraud, Online Fraud, Security, Security Risks, Security Risks, Spam, Spam, Security Response, Endpoint Protection (AntiVirus)
0 comments
Con Mallon
|
February 3rd, 2010
Well, it looks that way. We are only just into the second month of 2010 and yet we can now see, in prospect, a whole new raft of innovation coming our way. At CES a lot of the attention was with respect to eBook readers and new slate/tablet based PCs. These new devices are squarely focused on digital content. The success of Amazon and Apple in the digital content arena clearly shows that there is a big market for digital content and that money can be made as a result. We have seen a lot of activity in the eBook reader market, with many companies starting to launch products. Amazon, with the Kindle, has very much been the vanguard of showing how this can all come together.
CES also witnessed a range of announcements with respect to tablet computers. We saw products from HP, Lenovo (interesting cross-over laptop/tablet device), Sony, Archos, etc. Many of these products will start to come to market mid-point this year. Some people commented that these CES announcements were a pre-...
Evolution of Security, Evolution of Security, Malicious Code, Malicious Code, Security, Vulnerabilities & Exploits, Vulnerabilities & Exploits, Security Response, Endpoint Protection (AntiVirus)
0 comments
Liam O Murchu
|
February 2nd, 2010
While analyzing W32.Zimuse recently I was surprised to find two different passwords used within the threat: one of these decrypts a Word document that contains information about some members of a Slovakian motorbike forum.
In order to spread via USB drives, W32.Zimuse copies the file zipsetup.exe to removable drives. If zipsetup.exe is run with no parameters it shows the following message box:
The zipsetup.exe dialog box
This is not a real WinZip dialog box, just a password box made to look like the WinZip message box. The user has 10 chances to enter the correct password, after which the application will close. Entering "2008_15_12" (without quotes) decrypts a Word document named zoznam.doc:
Decrypted Word document
The document is written in Slovakian. Using an online translator, the first two lines translated to:
We found on the internet:
(for the purpose of investigation and monitoring provide administrators these urls : [URL REMOVED] and [URL REMOVED], these...
Emerging Threats, Emerging Threats, Malicious Code, Malicious Code, Security, Security Response, Endpoint Protection (AntiVirus)
0 comments
Éamonn Young
|
January 29th, 2010
Backdoor.Tidserv.K
Often when a Trojan arrives on a computer, it saves itself to a specific location. It can save itself on the C: drive, the D: drive, or even somewhere more unusual; for example, in a location with a folder name that it has created itself using random characters. It may then go on to create or modify certain registry entries. It can do this so that it can execute every time your computer starts. Threats may also modify existing registry entries in order to perform devious tasks, such as lowering security settings on the computer by disabling firewalls and antivirus software.
At any rate it is typical for a threat to leave some trace of itself on the computer, which makes it possible to identify that the threat exists. Having said that, some threats may use a rootkit to hide their presence on a computer, thus making them more difficult to locate.
Recently, however, we detected a threat (Backdoor.Tidserv.K) that performs something of a vanishing act! After arriving on...
0 comments
Patrick Fitzgerald
|
January 29th, 2010
If you have been following this series on Trojan.Hydraq over the last week you may have noticed that the blog entries have been well, boring. Because of its profile in the media and varying assessments of the threat posed by and the complexity of Trojan.Hydraq we decided to present the facts of the threat.
Threats make their way into mainstream media for various reasons. Sometimes it’s the effectiveness of a threat or the elegance associated with a particular approach taken by a piece of malware. Some use near impenetrable packers to make analysis extremely difficult and some have novel approaches to make the malware more robust and harder to take down.
2010 saw Trojan.Hydraq hit the media. This incident was dubbed “Operation Aurora”. In case there is still any confusion at this stage, the malware used in the Aurora attack is Trojan.Hydraq.
Trojan.Hydraq has been hailed as unique and also as the most sophisticated malware ever seen in the commercial space. This is...
Emerging Threats, Emerging Threats, Evolution of Security, Evolution of Security, Malicious Code, Malicious Code, Security, Vulnerabilities & Exploits, Vulnerabilities & Exploits, Security Response, Endpoint Protection (AntiVirus)
0 comments
Parveen Vashishtha
|
January 28th, 2010
The use of search engines to deliver malware is well known. Previously we reported that attackers were using Google-sponsored search results to promote malicious websites. Instead of using techniques such as search engine optimization (SEO) poisoning to get the optimum listing in the search engine results, attackers recently managed to compromise well known site autonagar.com, which is promoted by Google’s sponsored links. Interestingly, up until late last week, autonagar.com was hosting malicious exploits and was blacklisted by Google SafeBrowse. However, at the time of posting this blog the malicious code has been removed from autonagar.com and Google is no longer blocking it.
In this specific example, users who rely on Google’s sponsored links run the risk of their computers being infected. For example, when a user searches for “sell car online” or “buy bike,” Google-sponsored links might display one particular download link for AutoNagar.com....
Emerging Threats, Emerging Threats, Malicious Code, Malicious Code, Security, Security Response, Endpoint Protection (AntiVirus)
0 comments
Patrick Fitzgerald
|
January 28th, 2010
At this stage we’ve looked at several features of Hydraq, including its obfuscation techniques and how it remains on an infected system. So, what control does the attacker have over a compromised system?
Backdoor Functionality
The ThreatExpert blog on Hydraq provides a comprehensive list of the features of this backdoor. The full article can be found here. The following list summarizes what this backdoor is capable of:
• Adjust token privileges.
• Check status of, control, and end processes and services.
• Download a remote file, save it as %Temp%\mdm.exe, and then execute it.
• Create, modify, and delete registry subkeys.
• Retrieve a list of logical drives.
• Read, write, execute, copy, change attributes, and delete files.
• Shut down and restart the computer.
• Uninstall itself by deleting the...
Emerging Threats, Emerging Threats, Malicious Code, Malicious Code, Security, Security Response, Endpoint Protection (AntiVirus)
0 comments
Joji Hamada
|
January 28th, 2010
Yesterday we saw SEO poisoning attacks when searching for keywords such as "Apple Tablet". Now, after the product announcement has been made, we are seeing the same attack with the actual name of the product included in the search term.
Using search terms like "Apple Ipad rumor" or "Apple Ipad size" are likely to produce results from sites like youcanbesureforsafe.net, antyspywarescanblog.com, or mastersmegasecurity.net, ultimately compromising your computer with rogue security software.
No worries for Symantec product users. Our HTTP FakeAV Redirect Request IPS signature will detect the attack. Our Trojan.FakeAV!gen13 heuristic detection will also catch the rogue security software that's eventually downloaded on to the computer. For network administrators, you can add the two rogue security software domains mentioned above to a blacklist, as well as xtijzl.xorg.pl and the IP address 93.158.114.163, both of which are used in the...
Emerging Threats, Emerging Threats, Security, Security Risks, Security Risks, Security Response, Endpoint Protection (AntiVirus)
0 comments
Dermot Harnett
|
January 27th, 2010
With Valentine’s day a little over two weeks away it is not surprising that spammers are already targeting this holiday. Valentine’s Day is a common target for spammers and in January 2009 the top five Valentine’s Day-related spam subject lines were as follows:
1. Increase your length, the best valentine’s gift
2. Show off your length for valentine’s
3. Get it before Valentine’s day and watch her smile
4. You have been invited to partake in a shopping spree with [Removed] This Month for Valentines!
5. Happy Early Valentines Day, You have been selected to go on a $1000 Shopping spree to [Removed]
From time to time the products that spammers offer are surprising. A recent spam sample offered the perfect engagement ring but you would have to wonder about their target audience; seriously, who would buy an engagement ring from a spam email?
It is true that...
0 comments
Livian Ge
|
January 26th, 2010
W32.Ramnit是赛门铁克安全响应中心近期检测到的一类新蠕虫。它能够感染用户计算机系统中的.exe、.dll和.html文件。W32.Ramnit将自身加密以后附加到目标文件中,当被感染的文件运行时,该蠕虫会被释放到当前目录并被命名为[InfectedFilename]Srv.exe,然后执行。同时在%\ProgramFiles%\目录下增加一个MNetwork目录。感染该病毒的计算机会试图连接到网站rmnz[removed]ed.com,从该网站下载.dll文件注册到系统中。
该病毒主要通过移动存储介质进行传播。传播时,它会把自己拷贝到移动存储设备根目录下面的Recycle Bin目录中,同时创建autorun文件以达到自动启动的目的。因此,我们建议用户在使用移动存储设备前先使用诺顿安全软件对其进行扫描,确认安全后再打开。及时将安全软件的病毒库升级至最新,以抵御新出现的各类安全威胁。
0 comments
Patrick Fitzgerald
|
January 26th, 2010
Yesterday’s blog spoke about the obfuscation techniques employed by Trojan.Hydraq. As it turns out these techniques are not new, had been used by various malware in the past, and are not too tricky to get around. This entry examines the techniques employed by this threat in order to stay active on a compromised computer and survive a restart.
Hydraq takes advantage of the Svchost.exe process in Windows. When a Windows system starts up it checks the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
These entries are referred to as service groups. The information under this key will have all the information required by the operating system in order to load the service group into memory. The following screenshot shows the services loaded into a particular instance of svchost on a clean computer:
Hydraq creates the appropriate service groups and Windows does the rest.
The Hydraq dropper performs the...
Emerging Threats, Emerging Threats, Evolution of Security, Evolution of Security, Malicious Code, Malicious Code, Security, Security Response, Endpoint Protection (AntiVirus)
0 comments
Patrick Fitzgerald
|
January 25th, 2010
While Trojan.Hydraq has been described as sophisticated, the methods used to obfuscate the code are relatively straight forward to deobfuscate. Trojan.Hydraq has spaghetti code, which is a technique used to make analyzing the code of program more difficult. The basic blocks of a function are identified, and then completely rearranged so one cannot easily follow the code in a linear fashion. The rearranged code blocks are connected by jump instructions that connect them in the proper order during execution.
However, spaghetti code has been used in the past and, due to the simple method of implementation by Hydraq, is easily reversed. We posted one of the first blogs about spaghetti code in malware back in 2006 in regards to LinkOptimizer. Most security companies have tools to simply reverse this type of obfuscation in an automated fashion and even off-the-shelf tools such as Hex-rays can deobfuscate Trojan.Hydraq’s spaghetti code.
Fortunately, this...
Emerging Threats, Emerging Threats, Evolution of Security, Evolution of Security, Malicious Code, Malicious Code, Security, Security Response, Endpoint Protection (AntiVirus)
0 comments
Andrea Lelli
|
January 21st, 2010
You probably have heard the recent news about a widespread attack that was carried out using a 0-Day exploit for Internet Explorer as one of the vectors. This exploit is also known as the "Aurora Exploit". The code has recently gone public and it was also added to the Metasploit framework.
This exploit was used to deliver a malicious payload, known by the name of Trojan.Hydraq, the main purpose of which was to steal information from the compromised computer and report it back to the attackers.
The exploit code makes use of known techniques to exploit a vulnerability that exists in the way Internet Explorer handles a deleted object. The final purpose of the exploit itself is to access an object that was previously deleted, causing the code to reference a memory location over which the attacker has control and in which the attacker dropped his malicious code.
We have developed and released the HTTP MSIE Memory Corruption Code Exec(23599) IPS signature that blocks this exploit...
Emerging Threats, Emerging Threats, Security, Vulnerabilities & Exploits, Vulnerabilities & Exploits, Security Response, Endpoint Protection (AntiVirus)
0 comments
Peter Coogan
|
January 21st, 2010
In our last Trojan.Hydraq (Aurora) blog, The Trojan.Hydraq Incident, we mentioned that one of the components of this Trojan is based on VNC code and has the ability to allow an attacker to control and stream a live video feed of a compromised computer’s desktop to a remote computer in real-time. In this blog we will look at these components in more detail and demonstrate them being used.
Once Trojan.Hydraq is installed by means of an exploit, it downloads additional files from a remote location to aid with the attack. Two of the additional files downloaded are named VedioDriver.dll and Acelpvc.dll. These files are placed into the %System% folder on the exploited computer. Analysis of the files and communication protocol suggests that they were specifically written for use with Hydraq using modified VNC code. In conjunction with Hydraq, these files allow a remote attacker to control and stream a live video feed from an exploited computer. When looking at the information stored...
Emerging Threats, Emerging Threats, Evolution of Security, Evolution of Security, Malicious Code, Malicious Code, Security, Vulnerabilities & Exploits, Vulnerabilities & Exploits, Security Response, Endpoint Protection (AntiVirus)
0 comments
Kevin Haley
|
January 21st, 2010
Did you follow the Senate race in Massachusetts between Scott Brown and Martha Coakley? Well, so did cybercriminals. They likely had no interest in who won, however. What attracted them was how many of us were performing online searches, looking for information on the race. So, the bad guys raced to answer this need, but it wasn’t with information on who won. It was with traps to infect us with rogue security software.
Symantec—through use of our Norton Safe Web technology—has identified significant search engine poisoning in searches related to the political race. At one point we looked at the results of a search for “Massachusetts senate race results” and found that 33 of the first 100 search results led to malicious sites. Eleven of the first 100 results for the related search “Brown Coakley results” also led to malicious sites. Unfortunately none of this is all that surprising to us. From Michael Jackson’s death, to the tragedy in...
Security, Security Risks, Security Risks, Spam, Spam, Security Response, Endpoint Protection (AntiVirus)
0 comments
Livian Ge
|
January 20th, 2010
赛门铁克安全响应中心持续追踪的木马程序Trojan.Zbot,会试图从用户计算机窃取私人数据。近期,该木马又出现新变种。
运行时,Trojan.Zbot会首先把自身拷贝到系统目录下并伪装成一个正常文件,然后添加注册表项以达到开机自动运行的目的。此后,该木马会释放加密的配置文件,并且收集受害用户计算机的操作系统版本、语言种类等信息。Trojan.Zbot还会删除用户计算机上的Cookies信息,使得用户在访问银行网站时必须重新输入密码。接下来,该木马将恶意代码注入到除CSRSS.EXE以外的所有进程。这些恶意代码会挂钩许多与网络操作相关的函数来监控网络数据以达到盗取用户银行卡信息、电子邮箱密码等个人信息的目的。盗取到的信息会先存储在本地,随后发送到配置文件里所指定的地址。
该木马主要通过互联网进行传播,如偷渡式下载,垃圾邮件等。因此,我们建议用户一旦发现异常应及时断开计算机的网络连接,并且使用赛门铁克安全软件对计算机进行全盘扫描和病毒查杀,这样能降低受到该木马危害的可能性,同时也避免了病毒向更多的在线电脑传播。如果确定计算机已经被该木马感染,请及时更改您的个人信息,包括登录网络的用户名、密码,邮箱密码和银行卡密码等,防止黑客利用窃取到的个人信息侵犯您的利益。
Malicious Code, Malicious Code, Security, Security Risks, Security Risks, Security Response, Endpoint Protection (AntiVirus)
0 comments
Symantec Securi...
|
January 20th, 2010
Symantec Security Response has repeatedly warned that looking for free movies and videos online often results in malware infection, and here we go again with yet another example. We recently became aware of a campaign, centered around the YouTube Web site, to trick users into following malicious links.
YouTube is one of the most popular video sharing sites and therefore is often picked by online criminals hoping for an easy catch. Performing a search using a (generally female) celebrity’s name followed by "sex tape" or a recent movie name yields results such as the following:
Unfortunately, clicking the links highlighted in red in the above screenshots will not lead to the desired footage of Ms. Hudgens or the movie Angels and Demons. In place of what would have been the video is a message from the poster stating that they cannot upload the video because it would be deleted by YouTube, it is too big to host on YouTube, or other such excuses. However, the...
Emerging Threats, Emerging Threats, Evolution of Security, Evolution of Security, Malicious Code, Malicious Code, Security, Security Response, Endpoint Protection (AntiVirus)
0 comments
Kevin Haley
|
January 20th, 2010
AntiVirus Live, Personal Security, Malware Defense, and Desktop Defender
These are all names for different rogue security software programs. We identified 250 different “brands” of these bogus products in the Rogue Security Software Report published in October 2009. But these four—and many others—are not among those 250. They are all new since October. You can see some examples of some of the new graphic styles of these fake AVs here.
In fact, there are so many of these misleading applications that we don’t even try to write a unique definition for each one of them. We use generic signatures such as Trojan Horse, Trojan.FakeAV, and Trojan.FakeAV!gen.
While we aren’t surprised about new names, it doesn’t mean that we can’t occasionally be surprised. Take last week for example. While looking at some search trends on virus names I noticed an increase in searches for the threat Netsky.
Netsky is a mass-mailer that first appeared in 2004....
Emerging Threats, Emerging Threats, Security, Security Risks, Security Risks, Security Response, Endpoint Protection (AntiVirus)
0 comments
Mayur Kulkarni
|
January 19th, 2010
Last week, Symantec warned netizens of Haiti earthquake-related email scams. These alerts have not deterred spammers from continuing their operations in the form of 419 and phishing scams. We have monitored a variety of scam emails that are falsely claiming to have come from humanitarian and relief fund organizations, asking users for donations.
When we look at the list of subject lines found in scam emails below, we observe that some of them are imitating the subject lines of legitimate emails requesting for donations:
Financial contributions to the British Red Cross
Please Reply.
Haiti Earthquake: HELP HAITI
Urgent response:Help haiti
RED CROSS EARTHQUAKE APPEAL- DONATE NOW!
Donate to Haiti today
Please give what you can today to help thousands of people there in desperate need humanitarian assistance
Come up and make a difference to help the poor people of Haiti. Urgent Mail....
Desperately Needed Aids
We also noticed the creation of new email addresses...
Emerging Threats, Emerging Threats, Online Fraud, Online Fraud, Security, Spam, Spam, Security Response, Endpoint Protection (AntiVirus)
0 comments
Thomas Parsons
|
January 19th, 2010
Symantec goes to great lengths to prevent false positives from occurring. Undoubtedly false positives (FPs) are a concern for all vendors across the antivirus industry. However with as large a user base as Symantec has, we need to set the bar very high. Symantec’s content is used on over 120 million devices around the world so any software defects like a false positive have a much higher chance of being exposed than with a smaller user base.
Given the importance of false positives our quality assurance team is at the forefront of efforts to prevent them. With this in mind we’d like to make available recently completed research in this area. The research is entitled ‘A False Positive Prevention Framework for Non-Heuristic Anti-Virus Signatures’ and is in the form of a case study (based on Symantec). That sounds like a mouthful so let’s break it down! The goal of the research was to develop a high level conceptual structure to help us address the problem...
Evolution of Security, Evolution of Security, IT Risk Management, IT Risk Management, Security, Security Response, Endpoint Protection (AntiVirus)
0 comments