• United States



Analysis of the Sykipot attacks

Dec 09, 20112 mins
Data and Information Security

Symantec reviews recent targeted attacks, including the use of the Adobe zero-day vulnerability and the Sykipot malware, in a new analysis.

The analysis is written by Vikram Thakur and is also based on work from researchers Stephen Doherty, Andrea Lelli, Nicolas Falliere, Paul Mangan and Sean Kiernan.

The full report is HERE. What follows is an excerpt:

The goal of Sykipot attackers is to obtain sensitive documents to high level executives within a variety of target organizations, of which the vast majority have been defense related. Considering the long-running campaign history of the attackers and their previous use of zero-day exploits, future versions of Sykipot that are delivered using another zero day are likely.

Symantec products detect Sykipot Trojan files as Backdoor.Sykipot, Files attempting to exploit the Adobe Acrobat and Reader U3D Memory Corruption Vulnerability (BID 50922) are detected as Bloodhound.Exploit.439 and malicious PDFs trying to create and execute files are detected using SONAR proactively.

Attributing the attack to a particular entity is generally difficult; however, long term campaigns such as this one provide enough traits to give a rudimentary profile of the attackers.

While the back door Trojan itself isn’t very sophisticated or well-coded, the attackers are skilled enough to have discovered multiple zero-day vulnerabilities. Given the long list of command and control servers being used for controlling the botnet, the attackers are unlikely to be a single person, but rather a group of people.

Thus, the Sykipot attackers are likely to be an organized and skilled group of individuals. Given their persistence and their long-running campaigns, the attackers are likely to have consistent funding for their efforts.

Interesting stuff. If anyone else has research on this, send it to me and I’ll include it in upcoming posts.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a