Skip to main content

Symantec’s take on the latest high-profile malware

Late in the summer I always get a visit from Symantec, so they can fill me in on details of their fall product updates. This time I met with VP Patrick Gardner of the Security Technology and Response team and with Gerry Egan, senior director of product management. Of course, much of the product information is under embargo until the actual release date, but Gardner also presented the STAR team's findings on several recent high-profile threats. "We have to give you something you can write about now," gibed Gardner.

No good deed unpunished

First up was the threat Symantec calls Printlove. When this threat hits some systems they begin spewing pages and pages of gibberish from the printer.

Printlove actually exploits a vulnerability in the Windows print spooler, a flaw that Microsoft patched in 2010. The infamous Stuxnet used this same vulnerability as one of its seven infection vectors. Printlove typically gets a toehold on a network when a hapless user plugs in an infected USB drive. Once active, it spreads across the network by dropping a carefully crafted payload into the print spooler folder.

On an unpatched system, this payload causes the spooler process to execute malicious code. If you've kept your system properly updated, the spooler just sees the payload as a print job and tries to print the binary file, with unpleasant results. That's right; only the security-wise users who keep abreast of the latest patches will suffer the "printer bomb" effect!

Big Brother really is watching

Gamma International, based in the UK, bills its Finfisher tool as a "governmental IT intrusion and remote monitoring solution." We don't really know what agencies are using Finfisher, but its presence has been reported in countries all over the world. Symantec's STAR team analysed an actual working sample and determined that it really lives up to its promised feature list.

Among other things, it can record your Skype calls, instant messages, email, and VoIP conversations. In addition to an advanced keylogger, it has the ability to snoop using the victim PC's webcam and microphone. It can siphon sensitive files off your hard drive. It communicates covertly with the owning agency's headquarters and can bypass over 40 antivirus systems.

Gardner reported that Finfisher typically arrives buried in an email with a .rar-compressed collection of images attached. One of the images is actually an executable file, but its filename uses a peculiar feature of Unicode, the right-to-left override character, to make the extension display as .jpg. When the victim opens this wolf in sheep's clothing, it infects the Master Boot Record. At the next reboot, the victim system is totally owned.

Is MI6 watching you with Finfisher? How about the FBI or KGB? The chances are you're not a “person of interest,” but that doesn't mean you're safe. It's only a matter of time before cyber-crooks start using this technology, if they haven't already. Unless your antivirus detects it, you just won't know. Naturally, Symantec's antivirus products detect it, calling it Backdoor.Finfish, along with a similar Mac-specific tool they call OSX.Crisis.