Malware Detection Team

The Malware Detection Team has changed its name to Security Research

Security Research is the core technical security group within Norman R&D, focusing on innovative detection techniques and methodologies. Security Research deals with everything from vulnerability and malware research to development of the Norman Engine and Sandbox. The team is based in Norway with additional locations in the U.S. and India which consists of experts from ten nations with backgrounds in government, academia and commercial entities.

Latest Posts in Malware Detection Team

Malware Detection Team is now Security Research

February 23, 2012 by David Hruska - No Comments

Please update all URLs from malware-detection-team to security-research.

Tags:

The Syrian spyware

February 18, 2012 by Snorre Fagerland - No Comments

In an article yesterday, CNN mentions two malicious programs used to target the Syrian opposition; one which displays message about downloading a free security program, and one which showed no action when executed. We have seen more of these. Most of the ones we’ve seen come as selfextracting RAR executables … Read More

Tags:

LessNet: Revisiting the Nobelpeaceprize.org Intrusion

February 9, 2012 by Snorre Fagerland - 1 Comment

October 26th, 2010 the homepage of the Norwegian Nobel Peace Prize Committee was compromized with a 0-day exploit designed for Mozilla Firefox. The Norwegian telecommunications company Telenor discovered this, and notified NorCERT and us. How the Nobel site was compromized is not known. However, the details around the installed malware … Read More

Tags:

Classic malicious URLs

January 24, 2012 by Felix Leder - No Comments

In my last blog, I wrote about a malware download center that only served malicious executables if the related exploit kit seemed to be successful. The URLs used were so classically malicious that I just have to use them as examples to explain some easy ways to identify them. hxxp://epartyonfloor.ru:8801/html/yveveqduclirb1.php … Read More

Tags:

Tracking your Exploitation

January 23, 2012 by Felix Leder - 1 Comment

A broad range of security researchers are constantly tracking malware download centers (MDC). These centers feed to malicious executables, like bots, trojans, and so on to exploited computers. In the same way as other researchers, we at Norman are tracking MDCs in order to check out the latest executables for … Read More

Tags: Browser, client honeypots, drive-by-exploit, evasion, exploit kit, mag2, Vulnerabilities / Exploits

Tracking Zeus Variants

January 11, 2012 by Jonathan Camp - 2 Comments

A recent FBI warning mentions a new strain of the Zeus banking trojan called GameOver. As with previous variants, the malware’s primary target is banking credentials. According to a Swiss researcher, one of the distinguishing features in this variant is a new peer-to-peer (P2P) communication system. Rather than using dynamically … Read More

Tags: mag2, zeus

Signed malware: Snooping on Chinese students?

January 11, 2012 by Snorre Fagerland - No Comments

Between the holidays I found a very simple but digitally signed malcode. It basically does one single thing: It overwrites the hosts file. The modification is as follows: 175.41.21.11 www.chsi.com.cn The hosts file modification has the effect of overriding any DNS queries for chsi.com.cn so that it points to a … Read More

Tags:

Palebot trojan harvests Palestinian online credentials

December 8, 2011 by Snorre Fagerland - No Comments

I sometimes sample the stream of files that come from VirusTotal, so as not to lose touch with what malware is actually floating around. Of special interest are the files where few or only we have detection, because there is a higher probability that such files are false positives that … Read More

Tags:

Invisible YNK, a Code Signing Conundrum

November 17, 2011 by Snorre Fagerland - 1 Comment

This story starts with a compromized code signing certificate. It belongs to YNK Japan Inc, a subsidiary of YNK Korea. YNK makes online games such as “R.O.H.A.N : Blood Feud” and “Seal Online : Eternal Destiny”. The certificate has the following data: Serial Number: 046931BF57EBC5947D3DC4EE7A236E Common Name: YNK JAPAN Inc … Read More

Tags:

The Nitro attacks and W32/Odivy

October 31, 2011 by Snorre Fagerland - No Comments

Odivy is a family of backdoor trojans, reportedly used in attacks against the chemical industry, the so-called Nitro attacks. Most of the ones mentioned in this attack are structured as WinRAR selfextracting (SFX) archives, typically containing two files; one executable and one data file with a *.TXT extension. This may … Read More

Tags:

← Older Posts

Security Research Bloggers

Norman Blog Archive

2012 (82)
2011 (86)
2010 (47)
2009 (31)
2008 (11)

Subscribe