Geeks With Blogs

News Clicky Web Analytics

web stats View David Caddick ('s profile on LinkedIn

Search this Site!

Locations of visitors to this page
View My Stats eXTReMe Tracker
This posting is provided "AS IS" with no warranties, and confers no rights. The opinions expressed within are my own and should not be attributed to any other Individual, Company or the one I work for. I just happen to be a classic techie who is passionate about getting things to work as they should do (and are sometimes advertised and marketed as being able to?) and when I can I drop notes here to help others falling in to the same traps that I have fallen in to. If this has helped then please pass it on - if you feel that I have commented in error or disagree then please feel free to discuss with me either publically or privately? Cheers, Dave
Thin Clients, VDI and Linux integration from the front lines.... Raw and sometimes unedited notes based on my experiences with VMware, Thin Clients, Linux etc.

Just having had some free time during Training (oops! did I say that out loud..? ;-) and I was checking some of the latest news via Bloglines and came across this piece from AppSense's Secuity Blog - I have copied the contents in full here because this would appear to be a new escalation in how far the Black Hatters will go to potentially "Own" your device, very worrying news if tis is merely the start of a trend?  

Original Post
In the usual confusing way of the antivirus industry it has been given different names by virtually everyone involved, with a large number simply giving it a generic name such as Trojan/Spambot, or the equally helpful Generic.Backdoor.I. Although it is hard to believe, it seems there are now so many new bits of slightly reworked malware being discovered that the researchers don’t bother giving them meaningful names anymore.  We tend to believe that this one deserved a lot more attention.

It does do most of the usual things. It uses the Run key in the registry to restart after a reboot, for example, and rewrites the HOSTS file to prevent antivirus updates. Some of the skill in the production of this Trojan is illustrated by its control mechanism. It attaches to a central server to download templates for use in the construction of the spam mails. These templates are strongly encrypted using the AES algorithm to prevent rivals making use of them, with the instructions as to what the spam mail should contain being sent from another server in a different location. The Trojans themselves communicate with each other using a peer-to-peer protocol, sharing information such as the addresses of the control server, the template servers, and a peer list. This combination of central control and peer-to-peer communications means that the botnet is very resilient. If the central server or the template server are offline or are detected and taken off the Internet, the botnet-herder can still pass the location of new servers through the peer-to-peer network.

The most interesting thing about this spam bot, however, is that it is the first example which comes complete with its own antivirus system. Previous examples of financially motivated malware are known to attack their rivals and we have already mentioned using the HOSTS file to protect itself against a local antivirus client receiving new updates. This bot downloads a pirated copy of Kaspersky antivirus client, patches it to avoid it checking for the required license and scans the machine to remove any other backdoors. It does of course exclude its own files from the scan.

After examining this Bot, one research commented the “complexity and scope . . . . rivals some commercial software.” The level of functionality in this application, for make no mistake a full application is exactly what we are discussing, is a further indication in the level of time and funding now being used for development. If more proof was needed this also shows how much we need to changes the landscape techniques of security.

Posted on Wednesday, November 1, 2006 1:48 AM Citrix , IT Management , Microsoft Tips , Security | Back to top

Comments on this post: From AppSense's Security Blog - Possibly the Most Sophisticated Malware Ever ....??

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Dave Caddick | Powered by: