Entries with tag symantec.

Symantec Disables Portion of Resilient Botnet

Security vendor Symantec has disrupted part of the ZeroAccess botnet, freeing 500,000 of the 1.9 million infected computers from the malicious network’s control. Symantec researchers took advantage of an undisclosed flaw in the network’s peer-to-peer updating to poison 256 peer computers that were part of the botnet. The researchers then injected their own IP addresses into the botnet to gain control of them. They tried to wrest control of ZeroAccess’ entire command-and-control mechanism. However, because the botnet distributes its instructions peer to peer, rather than via centralized servers, this frustrated the researchers’ attempts. In addition, the botmasters subsequently updated the malware they use to control computers to eliminate the vulnerabilities that Symantec exploited. The company is working to free victimized computers that don’t have the update. Symantec researchers call ZeroAccess “one of the most menacing botnets in current circulation.” The botnet operators use the computers they control to distribute malware, and commit advertising fraud, specifically click fraud, and online currency fraud through using the compromised computers for Bitcoin mining. The advertising fraud alone reportedly nets about $700,000 per year from roughly 1,000 clicks/day per computer. (BBC)(Computerworld)(Ars Technica)

Researchers Reveal New Details about Flame’s Malicious Capabilities

Security researchers have provided new information about the innovative approaches the sophisticated Flame malware used in its attacks on computers in the Middle East earlier this year. Analysis by researchers from Kaspersky Lab, Symantec, CERT-Bund/BSI, and the International Telecommunication Union’s Impact Alliance showed that Flame’s creators disguised the malware’s command-and-control servers as content publishing platforms that ran a fake content-management application. This allowed it to run without attracting attention because it resembled an operation that a news operation or blogger might use. The researchers say the Flame campaign started as early as 2006 and included the creation of at least three other pieces of malware that have yet to be discovered. The attack was also more widespread than previously believed and infected perhaps as many as 10,000 machines. Forensics revealed the names or code names of four of Flame’s developers. In May Kaspersky Lab reported it had discovered the Flame virus—which it describes as part of an espionage toolkit—after the United Nations’ International Telecommunications Union requested help with computer infections targeting Iran’s oil ministry. Flame attacks carefully selected computers, steals data, and opens a backdoor to infected systems that the hacker can use to update the malware. Researchers say the malware is so complex, they might need a decade to analyze it. (Ars Technica)(Reuters)(Wired)(Kaspersky Lab Threatpost)(Computing Now NewsFeed – 29 May 2012)
 

Flame Creators Trip Self-Destruct Command

Symantec researchers report that the creators of the Flame malware toolkit issued a so-called “suicide command” earlier this week to have it remove itself from some infected computers. Symantec observed the command using honeypot computers specifically designed to observe Flame and said the command removed all Flame files, then overwrote their locations in memory with gibberish to stymie researchers investigating the infection. Symantec claims the code was written in early May. Meanwhile, in an address before a security conference in Tel Aviv, Eugene Kaspersky of Kaspersky Lab, which discovered Flame, said this sort of cyberterrorism is frightening. “It’s not cyberwar, it’s cyberterrorism, and I’m afraid it’s just the beginning of the game ... I’m afraid it will be the end of the world as we know it,” Kaspersky said. “I’m scared, believe me. … Flame is extremely complicated but I think many countries can do the same or very similar, even countries that don't have enough of the expertise at the moment. They can employ engineers or kidnap them, or employ ‘hacktivists.’” (BBC)(Computerworld)(Symantec Security Response Blog)(Reuters)
 

Showing 3 results.