Security Research

Security Research is the core technical security group within Norman R&D, focusing on innovative detection techniques and methodologies. Security Research deals with everything from vulnerability and malware research to development of the Norman Engine and Sandbox. The team is based in Norway with additional locations in the U.S. and India which consists of experts from ten nations with backgrounds in government, academia and commercial entities.

Latest Posts in Security Research

The Shiqiang Gang

May 15, 2012 by Snorre Fagerland - No Comments

In a series of blog posts our colleagues at Trend and AlienVault have detailed recent attacks on NGO’s, and how trojanized RTF files have been used as vehicles to plant various remote access trojans on unsuspecting users using the CVE-2012-0158 vulnerability. In addition, they both mention that apparently stolen digital … Read More

Tags:

Unusual cyber attack targets continue: This time Ethiopia

May 3, 2012 by Snorre Fagerland - 1 Comment

Despite reports that digitally signed malware is becoming more common, it still calls for a bit of attention when a new stolen certificate is found. Much signed malware is either signed with a certificate which is known to be on the loose, signed with a self-signed (and thus untrusted) certificate, … Read More

Tags:

Trojan moves its configuration to Twitter, LinkedIn, MSDN and Baidu

March 26, 2012 by Snorre Fagerland - 1 Comment

Sogu (alias Thoper, TVT, Destory Rat etc) is a large remote access trojan that has been used in a number of intrusions and targeted attacks. One of these was the large scale intrusion into servers owned by SK Communications in South Korea July 2011, where personal information of up to … Read More

Tags: baidu, linkedin, msdn, Sogu, targeted attack, trojan, Twitter

The Syrian spyware

February 18, 2012 by Snorre Fagerland - No Comments

In an article yesterday, CNN mentions two malicious programs used to target the Syrian opposition; one which displays message about downloading a free security program, and one which showed no action when executed. We have seen more of these. Most of the ones we’ve seen come as selfextracting RAR executables … Read More

Tags:

LessNet: Revisiting the Nobelpeaceprize.org Intrusion

February 9, 2012 by Snorre Fagerland - 1 Comment

October 26th, 2010 the homepage of the Norwegian Nobel Peace Prize Committee was compromized with a 0-day exploit designed for Mozilla Firefox. The Norwegian telecommunications company Telenor discovered this, and notified NorCERT and us. How the Nobel site was compromized is not known. However, the details around the installed malware … Read More

Tags:

Classic malicious URLs

January 24, 2012 by Felix Leder - No Comments

In my last blog, I wrote about a malware download center that only served malicious executables if the related exploit kit seemed to be successful. The URLs used were so classically malicious that I just have to use them as examples to explain some easy ways to identify them. hxxp://epartyonfloor.ru:8801/html/yveveqduclirb1.php … Read More

Tags:

Tracking your Exploitation

January 23, 2012 by Felix Leder - 1 Comment

A broad range of security researchers are constantly tracking malware download centers (MDC). These centers feed to malicious executables, like bots, trojans, and so on to exploited computers. In the same way as other researchers, we at Norman are tracking MDCs in order to check out the latest executables for … Read More

Tags: Browser, client honeypots, drive-by-exploit, evasion, exploit kit, mag2, Vulnerabilities / Exploits

Tracking Zeus Variants

January 11, 2012 by Jonathan Camp - 2 Comments

A recent FBI warning mentions a new strain of the Zeus banking trojan called GameOver. As with previous variants, the malware’s primary target is banking credentials. According to a Swiss researcher, one of the distinguishing features in this variant is a new peer-to-peer (P2P) communication system. Rather than using dynamically … Read More

Tags: mag2, zeus

Signed malware: Snooping on Chinese students?

January 11, 2012 by Snorre Fagerland - No Comments

Between the holidays I found a very simple but digitally signed malcode. It basically does one single thing: It overwrites the hosts file. The modification is as follows: 175.41.21.11 www.chsi.com.cn The hosts file modification has the effect of overriding any DNS queries for chsi.com.cn so that it points to a … Read More

Tags:

Palebot trojan harvests Palestinian online credentials

December 8, 2011 by Snorre Fagerland - No Comments

I sometimes sample the stream of files that come from VirusTotal, so as not to lose touch with what malware is actually floating around. Of special interest are the files where few or only we have detection, because there is a higher probability that such files are false positives that … Read More

Tags:

← Older Posts

Security Research Bloggers

Norman Blog Archive

2012 (82)
2011 (86)
2010 (47)
2009 (31)
2008 (11)

Subscribe