Language Selection

English French German Italian Portuguese Spanish

Triple-Barreled Trojan Attack Builds Botnets

Filed under
Security

Anti-virus researchers are sounding the alert for a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets-for-hire.

The three-pronged attack is being described as "unprecedented" because of the way the Trojans communicate with each other to infect a machine, disable anti-virus software and leave a back door open for future malicious use.

"This is so slick, it's scary," said Roger Thompson, director of malicious content research at Computer Associates International Inc. "It clearly points to a very well-organized group either replenishing existing botnets or creating new ones."

According to Thompson, the wave of attacks start with Win32.Glieder.AK, dubbed Glieder, a Trojan that downloads and executes arbitrary files from a long, hardcoded list of URLs.

Glieder's job is to sneak past anti-virus protection before definition signatures could be created and "seed" the infected machine for future use. At least eight variants of Glieder were unleashed on one day, wreaking havoc across the Internet.

On Windows 2000 and Windows XP machines, Glieder.AK attempts to stop and disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2.

The Trojan then quickly attempts to connect to a list of URLs to download Win32.Fantibag.A (Fantibag) to spawn the second wave of attacks.

With Fantibag on the compromised machine, Thompson said the attackers can ensure that anti-virus and other protection software is shut off. Fantibag exploits networking features to block the infected machine from communicating with anti-virus vendors. The Trojan even blocks access to Microsoft's Windows Update, meaning that victims cannot get help.

Once the shields are down, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker.

Once the three Trojans are installed, the infected computer becomes part of a botnet and can be used in spam runs, distributed denial-of-service attacks or to log keystrokes and steal sensitive personal information.

A botnet is a collection of compromised machines controlled remotely via IRC (Inter Relay Chat) channels.

According to CA's Thompson, the success of the three-pronged attack could signal the end of signature-based virus protection if Trojans immediately disable all means of protection.

"These guys have worked out that they bypass past signature scanners if they tweak their code and then release it quickly. The idea is to hit hard and spread fast, disarm victims and then exploit them," Thompson said in an interview with Ziff Davis Internet News.

He said he thinks the attack, which used virus code from the Bagle family, is the work of a very small group of organized criminals. "There's no doubt in my mind we are dealing with organized crime. The target is to build a botnet or to add to existing ones. Once the botnets reach a certain mass, they are rented out for malicious use."

Full Story.

More in Tux Machines

Chromium/Chrome News

It's Been A Quiet Year-End For BUS1, The Proposed In-Kernel IPC For Linux

With the Linux 4.10 kernel merge window expected to open this weekend, I was digging around to see whether there was anything new on the BUS1 front and whether we might see it for the next kernel cycle. While I have yet to see any official communication from the BUS1 developers, it doesn't look like it's happening for BUS1. In fact, it's been a rather quiet past few weeks for these developers working on this in-kernel IPC mechanism to succeed the never-merged KDBUS. Read more Also: Intel Working On 5-Level Paging To Increase Linux Virtual/Physical Address Space

Games for GNU/Linux

Fedora News

  • FEDORA and GNOME at the “1er Encuentro de Tecnología e innovación-Macro Región Lima 2016” Conference
  • 10 years of dgplug summer training
    In 2017 dgplug summer training will be happening for the 10th time. Let me tell you honestly, I had no clue that we will reach here when I started this back in 2008. The community gathered together, and we somehow managed to continue. In case, you do not know about this training, dgplug summer training is a 3 months long online IRC based course where we help people to become contributors to upstream projects. The sessions start around 6:30PM IST, and continues till 9PM (or sometimes till very late at night) for 3 months. You can read the logs of the sessions here.
  • 6 3D printing applications you can install on Fedora 25
    Do you have an interest in the 3D printing space but don’t know which 3D printing application will work on your favorite Linux distribution? You’re in luck, because in this article, you learn about 6 of such applications that you can install on Fedora 25 and other Linux distributions, like Ubuntu 16.10 and debian 8. Most of these you can install by selecting the 3D printing package when using the DVD or netinstall ISO image to install Fedora 25, but the rest you have to install individually.
  • FUDCon APAC Phnom Penh 2016
    FUDCon 2016, that was for me first of all a lot of work especially after the change of the venue in nearly last minute. Instead of ITC BarCamp happened this year at Norton University, what turned out not to be a good choice. A new hotel had to be found, not an easy task as on this side of the river are not many yet.