Language Selection

English French German Italian Portuguese Spanish

Triple-Barreled Trojan Attack Builds Botnets

Filed under
Security

Anti-virus researchers are sounding the alert for a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets-for-hire.

The three-pronged attack is being described as "unprecedented" because of the way the Trojans communicate with each other to infect a machine, disable anti-virus software and leave a back door open for future malicious use.

"This is so slick, it's scary," said Roger Thompson, director of malicious content research at Computer Associates International Inc. "It clearly points to a very well-organized group either replenishing existing botnets or creating new ones."

According to Thompson, the wave of attacks start with Win32.Glieder.AK, dubbed Glieder, a Trojan that downloads and executes arbitrary files from a long, hardcoded list of URLs.

Glieder's job is to sneak past anti-virus protection before definition signatures could be created and "seed" the infected machine for future use. At least eight variants of Glieder were unleashed on one day, wreaking havoc across the Internet.

On Windows 2000 and Windows XP machines, Glieder.AK attempts to stop and disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2.

The Trojan then quickly attempts to connect to a list of URLs to download Win32.Fantibag.A (Fantibag) to spawn the second wave of attacks.

With Fantibag on the compromised machine, Thompson said the attackers can ensure that anti-virus and other protection software is shut off. Fantibag exploits networking features to block the infected machine from communicating with anti-virus vendors. The Trojan even blocks access to Microsoft's Windows Update, meaning that victims cannot get help.

Once the shields are down, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker.

Once the three Trojans are installed, the infected computer becomes part of a botnet and can be used in spam runs, distributed denial-of-service attacks or to log keystrokes and steal sensitive personal information.

A botnet is a collection of compromised machines controlled remotely via IRC (Inter Relay Chat) channels.

According to CA's Thompson, the success of the three-pronged attack could signal the end of signature-based virus protection if Trojans immediately disable all means of protection.

"These guys have worked out that they bypass past signature scanners if they tweak their code and then release it quickly. The idea is to hit hard and spread fast, disarm victims and then exploit them," Thompson said in an interview with Ziff Davis Internet News.

He said he thinks the attack, which used virus code from the Bagle family, is the work of a very small group of organized criminals. "There's no doubt in my mind we are dealing with organized crime. The target is to build a botnet or to add to existing ones. Once the botnets reach a certain mass, they are rented out for malicious use."

Full Story.

More in Tux Machines

This Script Updates Hosts Files Using a Multi-Source Unified Block List With Whitelisting

If you ever tinker with your hosts file, you should try running this script to automatically keep the file updated with the latest known ad servers, phishing sites and other web scum.

Read more

via DMT/Linux Blog

today's leftovers

  • FLOSS Weekly 417: OpenHMD
    Fredrik Hultin is the Co-founder of the OpenHMD project (together with Jakob Bornecrantz). OpenHMD aims to provide a Free and Open Source API and drivers for immersive technology, such as head-mounted displays with built-in head tracking. The project's aim is to implement support for as many devices as possible in a portable, cross-platform package.
  • My next EP will be released as a corrupted GPT image
    Endless OS is distributed as a compressed disk image, so you just write it to disk to install it. On first boot, it resizes itself to fill the whole disk. So, to “install” it to a file we decompress the image file, then extend it to the desired length. When booting, in principle we want to loopback-mount the image file and treat that as the root device. But there’s a problem: NTFS-3G, the most mature NTFS implementation for Linux, runs in userspace using FUSE. There are some practical problems arranging for the userspace processes to survive the transition out of the initramfs, but the bigger problem is that accessing a loopback-mounted image on an NTFS partition is slow, presumably because every disk access has an extra round-trip to userspace and back. Is there some way we can avoid this performance penalty?
  • This week in GTK+ – 31
    In this last week, the master branch of GTK+ has seen 52 commits, with 10254 lines added and 9466 lines removed.
  • Digest of Fedora 25 Reviews
    Fedora 25 has been out for 2 months and it seems like a very solid release, maybe the best in the history of the distro. And feedback from the press and users has also been very positive.
  • Monday's security updates
  • What does security and USB-C have in common?
    I've decided to create yet another security analogy! You can’t tell, but I’m very excited to do this. One of my long standing complaints about security is there are basically no good analogies that make sense. We always try to talk about auto safety, or food safety, or maybe building security, how about pollution. There’s always some sort of existing real world scenario we try warp and twist in a way so we can tell a security story that makes sense. So far they’ve all failed. The analogy always starts out strong, then something happens that makes everything fall apart. I imagine a big part of this is because security is really new, but it’s also really hard to understand. It’s just not something humans are good at understanding. [...] The TL;DR is essentially the world of USB-C cables is sort of a modern day wild west. There’s no way to really tell which ones are good and which ones are bad, so there are some people who test the cables. It’s nothing official, they’re basically volunteers doing this in their free time. Their feedback is literally the only real way to decide which cables are good and which are bad. That’s sort of crazy if you think about it.
  • NuTyX 8.2.93 released
  • Linux Top 3: Parted Magic, Quirky and Ultimate Edition
    Parted Magic is a very niche Linux distribution that many users first discover when they're trying to either re-partition a drive or recover data from an older system. The new Parted Magic 2017_01_08 release is an incremental update that follows the very large 2016_10_18 update that provided 800 updates.
  • How To Use Google Translate From Commandline In Linux
  • How to debug C programs in Linux using gdb
  • Use Docker remotely on Atomic Host
  • Ubuntu isn’t the only version of Linux that can run on Windows 10
  • OpenSUSE Linux lands on Windows 10
  • How to run openSUSE Leap 42.2 or SUSE Linux Enterprise Server 12 on Windows 10

Leftovers: Software and Games

Hardware With Linux

  • Raspberry Pi's new computer for industrial applications goes on sale
    The new Raspberry Pi single-board computer is smaller and cheaper than the last, but its makers aren’t expecting the same rush of buyers that previous models have seen. The Raspberry Pi Compute Module 3 will be more of a “slow burn,” than last year’s Raspberry Pi 3, its creator Eben Upton predicted. That’s because it’s designed not for school and home use but for industrial applications. To make use of it, buyers will first need to design a product with a slot on the circuit board to accommodate it and that, he said, will take time.
  • ZeroPhone — An Open Source, Dirt Cheap, Linux-powered Smartphone Is Here
    ZeroPhone is an open source smartphone that’s powered by Raspberry Pi Zero. It runs on Linux and you can make one for yourself using parts worth $50. One can use it to make calls and SMS, run apps, and pentesting. Soon, phone’s crowdfunding is also expected to go live.
  • MSI X99A RAIDER Plays Fine With Linux
    This shouldn't be a big surprise though given the Intel X99 chipset is now rather mature and in the past I've successfully tested the MSI X99A WORKSTATION and X99S SLI PLUS motherboards on Linux. The X99A RAIDER is lower cost than these other MSI X99 motherboards I've tested, which led me in its direction, and then sticking with MSI due to the success with these other boards and MSI being a supporter of Phoronix and encouraging our Linux hardware testing compared to some other vendors.
  • First 3.5-inch Kaby Lake SBC reaches market
    Axiomtek’s 3.5-inch CAPA500 SBC taps LGA1151-ready CPUs from Intel’s 7th and 6th Generations, and offers PCIe, dual GbE, and optional “ZIO” expansion. Axiomtek’s CAPA500 is the first 3.5-inch form-factor SBC that we’ve seen that supports Intel’s latest 7th Generation “Kaby Lake” processors. Kaby Lake is similar enough to the 6th Gen “Skylake” family, sharing 14nm fabrication, Intel Gen 9 Graphics, and other features, to enable the CAPA500 to support both 7th and 6th Gen Core i7/i5/i3 CPUs as long as they use an LGA1151 socket. Advantech’s Kaby Lake based AIMB-205 Mini-ITX board supports the same socket. The CAPA500 ships with an Intel H110 chipset, and a Q170 is optional.