Language Selection

English French German Italian Portuguese Spanish

Triple-Barreled Trojan Attack Builds Botnets

Filed under
Security

Anti-virus researchers are sounding the alert for a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets-for-hire.

The three-pronged attack is being described as "unprecedented" because of the way the Trojans communicate with each other to infect a machine, disable anti-virus software and leave a back door open for future malicious use.

"This is so slick, it's scary," said Roger Thompson, director of malicious content research at Computer Associates International Inc. "It clearly points to a very well-organized group either replenishing existing botnets or creating new ones."

According to Thompson, the wave of attacks start with Win32.Glieder.AK, dubbed Glieder, a Trojan that downloads and executes arbitrary files from a long, hardcoded list of URLs.

Glieder's job is to sneak past anti-virus protection before definition signatures could be created and "seed" the infected machine for future use. At least eight variants of Glieder were unleashed on one day, wreaking havoc across the Internet.

On Windows 2000 and Windows XP machines, Glieder.AK attempts to stop and disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2.

The Trojan then quickly attempts to connect to a list of URLs to download Win32.Fantibag.A (Fantibag) to spawn the second wave of attacks.

With Fantibag on the compromised machine, Thompson said the attackers can ensure that anti-virus and other protection software is shut off. Fantibag exploits networking features to block the infected machine from communicating with anti-virus vendors. The Trojan even blocks access to Microsoft's Windows Update, meaning that victims cannot get help.

Once the shields are down, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker.

Once the three Trojans are installed, the infected computer becomes part of a botnet and can be used in spam runs, distributed denial-of-service attacks or to log keystrokes and steal sensitive personal information.

A botnet is a collection of compromised machines controlled remotely via IRC (Inter Relay Chat) channels.

According to CA's Thompson, the success of the three-pronged attack could signal the end of signature-based virus protection if Trojans immediately disable all means of protection.

"These guys have worked out that they bypass past signature scanners if they tweak their code and then release it quickly. The idea is to hit hard and spread fast, disarm victims and then exploit them," Thompson said in an interview with Ziff Davis Internet News.

He said he thinks the attack, which used virus code from the Bagle family, is the work of a very small group of organized criminals. "There's no doubt in my mind we are dealing with organized crime. The target is to build a botnet or to add to existing ones. Once the botnets reach a certain mass, they are rented out for malicious use."

Full Story.

More in Tux Machines

Events: Video Conferences, Code.gov, and LibreOffice

  • How to video conference without people hating you
    What about an integrated headset and microphone? This totally depends on the type. I tend to prefer the full sound of a real microphone but the boom mics on some of these headsets are quite good. If you have awesome heaphones already you can add a modmic to turn them into headsets. I find that even the most budget dedicated headsets sound better than earbud microphones.
  • Learn about the open source efforts of Code.gov at this event
    The U.S. government has a department looking to spread open source projects, and members will be in Baltimore this week. Code.gov is looking to promote reuse of open source code within the government to cut down on duplicating development work, and spread use of the code throughout the country. On April 26 event at Spark Baltimore, team members from Code.gov, the U.S. Department of Transportation and the Presidential Innovation Fellowship are among those invited to be at a meetup to share more. Held from 12-3 p.m., the event will feature talks from the invited guests about what they’re working on and Federal Source Code Policy, as well as how it can apply locally, said organizing team member Melanie Shimano.
  • LibreOffice Conference 2018 Takes Place in Tirana, Albania, for LibreOffice 6.1
    While working on the next major LibreOffice release, The Document Foundation is also prepping for this year's LibreOffice Conference, which will take place this fall in Albania. The LibreOffice Conference is the perfect opportunity for new and existing LibreOffice developers, users, supporters, and translators, as well as members of the Open Source community to meet up, share their knowledge, and plan the new features of the next major LibreOffice release, in this case LibreOffice 6.1, due in mid August 2018. A call for papers was announced over the weekend as The Document Foundation wants you to submit proposals for topics and tracks, along with a short description of yourself for the upcoming LibreOffice Conference 2018 event, which should be filed no later than June 30, 2018. More details can be found here.
  • LibreOffice Conference Call for Paper
    The Document Foundation invites all members and contributors to submit talks, lectures and workshops for this year’s conference in Tirana (Albania). The event is scheduled for late September, from Wednesday 26 to Friday 28. Whether you are a seasoned presenter or have never spoken in public before, if you have something interesting to share about LibreOffice or the Document Liberation Project, we want to hear from you!

GitLab Web IDE

  • GitLab Web IDE Goes GA and Open-Source in GitLab 10.7
    GitLab Web IDE, aimed to simplify the workflow of accepting merge requests, is generally available in GitLab 10.7, along with other features aimed to improve C++ and Go code security and improve Kubernets integration. The GitLab Web IDE was initially released as a beta in GitLab 10.4 Ultimate with the goal of streamlining the workflow to contribute small fixes and to resolve merge requests without requiring the developer to stash their changes and switch to a new branch locally, then back. This could be of particular interest to developers who have a significant number of PRs to review, as well as to developers starting their journey with Git.
  • GitLab open sources its Web IDE
    GitLab has announced its Web IDE is now generally available and open sourced as part of the GitLab 10.7 release. The Web IDE was first introduced in GitLab Ultimate 10.4. It is designed to enable developers to change multiple files, preview Markdown, review changes and commit directly within a browser. “At GitLab, we want everyone to be able to contribute, whether you are working on your first commit and getting familiar with git, or an experienced developer reviewing a stack of changes. Setting up a local development environment, or needing to stash changes and switch branches locally, can add friction to the development process,” Joshua Lambert, senior product manager of monitoring and distribution at GitLab, wrote in a post.

Record Terminal Activity For Ubuntu 16.04 LTS Server

At times system administrators and developers need to use many, complex and lengthy commands in order to perform a critical task. Most of the users will copy those commands and output generated by those respective commands in a text file for review or future reference. Of course, “history” feature of the shell will help you in getting the list of commands used in the past but it won’t help in getting the output generated for those commands. Read
more

Linux Kernel Maintainer Statistics

As part of preparing my last two talks at LCA on the kernel community, “Burning Down the Castle” and “Maintainers Don’t Scale”, I have looked into how the Kernel’s maintainer structure can be measured. One very interesting approach is looking at the pull request flows, for example done in the LWN article “How 4.4’s patches got to the mainline”. Note that in the linux kernel process, pull requests are only used to submit development from entire subsystems, not individual contributions. What I’m trying to work out here isn’t so much the overall patch flow, but focusing on how maintainers work, and how that’s different in different subsystems. Read more