A recent report by Symantec documented a campaign of targeted malware attacks that began as early as April 2011 and continued up to October 2011. During this time, the attackers managed to compromise at least 100 computers around the world. This report illustrates some of the key findings in our latest white paper, Trends in Targeted Attacks.

Targeted Campaigns

Targeted malware attacks are rarely isolated events. It is more useful to think of them as campaigns – a series of failed and successful attempts to compromise targets over a period of time. An attacker’s prior knowledge of the victim, possibly from a previously successful attack, affects the level of specificity associated with a single attack in a malware campaign. In this case, the attackers used messages with an IT security theme that appeared rather generic but were customized for various targets. The download link in the email messages was made to appear as if it were pointing to the target’s own website. Often, this less-specific level of targeting focuses on communities of interest and is aimed at acquiring information to be used in a future, more precise attack.

Moreover, there is generally a diversity of targets. In this case, the Nitro attackers targeted a concentration of chemical companies but also targeted human rights NGOs, motor companies and defense contractors.

Read the rest of this entry »

Today, I received an email from Apple telling me that there was a change in my account information. Seeing that I had already changed it a few weeks ago, I was rather curious to see what this email from “Apple” had to say. After opening the message, I was surprised to see an uncanny and almost identical resemblance with the legitimate email from Apple I got a few weeks back. See the side-by-side comparisons below:

Read the rest of this entry »

“[I]‘m going to watch you and monitor your telephone line.”

“Your internet access is going to get suspended.”

“Someobdy uplaod a vdieo wtih you on utbue”

Halloween is fast approaching and it’s that time of the year when scaring people is the most popular form of entertainment. However, not all spooks this season may end up in good-natured merriment. Cybercriminals may take this opportunity to scare users with their tricks, which include spammed messages, poisoned search results, spammed tweets with dubious links and Facebook clickjacking attacks. If not wary of these schemes, users may end up becoming victims of information theft, system infection, and even financial loss.

These cybercriminal scare tactics are not new. As seen in the links above, for years we have seen attempts to alarm users to trick them to do things they won’t normally do – open attachments, click links, and pay for fake costly items and antivirus software. The truth is that these bad guys have had some level of success in this field. As proof, a recent blackhat SEO campaign that managed to generate 300 million hits from 113 million visitors in just one month of operation.

It is time for users to conquer their fears. Below is an infographic that provides a quick run-through of common tricks and threats that users may encounter online. We have also included some tips on how to detect and prevent shams to ensure that users’ online experience are safe and spook-free.

Click here for a detailed look at the thumbnail image below.

The usage of exploits in current threats underlines the critical need for users to keep programs updated at all times. Considering the great amount of time people spend on their computers connected to the Internet, web browsers are prime targets for cybercriminals.

This is a technical analysis of a recently discovered vulnerability in one of the most-used web browser: Mozilla Firefox.

This Mozilla Firefox vulnerability was discussed by Charis Rohlf and Yan Lvnitskiy during their presentation, Attacking Clientside JIT Compilers at the Black Hat Conference in Las Vegas earlier this year.

This vulnerability, identified as CVE-2011-2371, lies in the Js3250.dll library and Js3250!array_reduceRight function in Mozilla Firefox, and affects versions earlier than 3.6.18, as well as versions 4.0 through 4.0.1. Two proofs-of-concept for this vulnerability were already disclosed publicly earlier this month by Matteo Memelli and metasploit.

We performed some analysis through reverse engineering and tested with the published proof of concept. Through this, we were successfully able to execute arbitrary remote code on Firefox 3.6.16.

Vulnerability Analysis

The following is a sample exploit code:

This code sets the array object length to a long value that will be handled as an unsigned integer. This will call reduceRight function on new Array.

Read the rest of this entry »

We’ve been seeing a particular social engineering lure in spam runs in the past, where spammers leverage the death of a known celebrity or political figure. Recent examples of this include the death of Steve Jobs, and Amy Winehouse. In this spam run using Gadhafi’s death, however, a more compelling lure is being used to trick users into downloading malicious files.

We found several spammed messages that claim to lead to videos of Gadhafi’s death. It is important to note that videos of Gadhafi’s death do exist, and legitimate news sites like Reuters and The Washington Post tell of the graphic content in the video and even host the said videos on their websites. This existence of real videos of Gadhafi’s death relatively makes it a more compelling lure.

The first sample disguises itself as a CNN newsletter in Spanish. It tells the user to download the video footage of Gadhafi’s death through the link provided. However, the supposed video file, Video-Gadhafi.mpeg.exe, that the user is led to turns out to be malware which we detect as BKDR_IRCBOT.DAM.

BKDR_IRCBOT.DAM connects to a certain IRC server and waits for commands from a remote user. So far, the only command we’ve seen being triggered by this connection is the downloading and execution of a file from a certain IP address. The said file is another copy of BKDR_IRCBOT.DAM. We believe that this routine is this malware’s way of updating itself.

 

Read the rest of this entry »