Posts Tagged ‘malicious code’

Symantec CorpSymantec reported the detection of new threats in the Android app store.

Service Symantec Security Response has found 14 applications that allow attackers without the user’s direct requests from the device to external resources. Symantec Security Response has detected 14 malicious applications published by the same developer. These applications make the request with the user’s device by directing traffic to a web site needed attackers.

Malicious code running in the background, posing as part of the operating system Android. It receives signals from a number of control servers (C & C), and constantly waiting for the next command request over HTTP. This scheme provides remote management of a wide range of ways you can use. For example, it can help to generate revenue in the systems for the transition to monetize advertising links and banners. (more…)

ESET LogoWhat do Win32/Redyms and TDL4 have in common?

The substitution of the results of search queries in search engines.

Since the beginning of 2013 ESET’s analytics started tracking interesting family of Trojans – Win32/Redyms. This threat is notable that uses the technique of substituting the results of search queries search engines. We have established that it is the most widely received in the U.S. and Canada. In these countries cybercrime market offers the highest price for the redirection (clicks) user search engines to malicious or advertising resources.

Leading Analyst ESET Alexander Matrosov performed deep analysis Win32/Redyms. The result revealed the similarity of this malicious code to another program – Win32/Agent.TJO, which is also known as part of the family Olmarik/TDL4. Win32/Agent.TJO is a trojan user mode, based on the mechanism of clicker a component of TDL4. And TDL4, and Win32/Agent.TJO, and Win32/Redyms use similar mechanisms to control network traffic, which is the browser. For traffic bot captures several features of the library Microsoft Windows Socket Provider (mswsock.dll): (more…)


New Linux rootkit

On a number of web-servers, we found a new rootkit that is used to secretly insert malicious substitution given off in HTTP-server content. Rootkit infects 64-bit Linux-servers running Debian Squeeze with kernel 2.6.32-5-amd64.

After activation in the core of the system to load the module, covering the traces of the rootkit and substitution occurs in the generated local web-server HTTP-traffic iframe-block code for exploiting vulnerabilities in client browsers and plug-ins installed in them.

In contrast to the commonly used technique of malicious code in the server-side html-pages, the rootkit can leave files intact, carrying the substitution under the impact of content http-server. Since the components of the rootkit masked and hidden from the monitoring tools, at first glance there is no malicious activity. The first information about the new rootkit was published a few days ago on the mailing list Full Disclosure. The administrator of one of the affected systems led primary analysis strange activity on your server, because of which went to the outside data with the substitution of malicious iframe, but locally the following substitutions were observed malicious code, including whether to return content nginx checking through strace gave in network socket correct data.

In the future, one of the security researchers with access to the infected system, analyzed the rootkit iopublikoval detailed report of its working methods. The most important conclusion is that the detected rootkit is a new development, not based on any of the previously available rootkits or tools to create them. The realization and the quality of the evidence of a rootkit is that it was not created for targeted attacks, as well as an initial attempt to create another means to distribute malware. (more…)