Language Selection

English French German Italian Portuguese Spanish

Triple-Barreled Trojan Attack Builds Botnets

Filed under
Security

Anti-virus researchers are sounding the alert for a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets-for-hire.

The three-pronged attack is being described as "unprecedented" because of the way the Trojans communicate with each other to infect a machine, disable anti-virus software and leave a back door open for future malicious use.

"This is so slick, it's scary," said Roger Thompson, director of malicious content research at Computer Associates International Inc. "It clearly points to a very well-organized group either replenishing existing botnets or creating new ones."

According to Thompson, the wave of attacks start with Win32.Glieder.AK, dubbed Glieder, a Trojan that downloads and executes arbitrary files from a long, hardcoded list of URLs.

Glieder's job is to sneak past anti-virus protection before definition signatures could be created and "seed" the infected machine for future use. At least eight variants of Glieder were unleashed on one day, wreaking havoc across the Internet.

On Windows 2000 and Windows XP machines, Glieder.AK attempts to stop and disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2.

The Trojan then quickly attempts to connect to a list of URLs to download Win32.Fantibag.A (Fantibag) to spawn the second wave of attacks.

With Fantibag on the compromised machine, Thompson said the attackers can ensure that anti-virus and other protection software is shut off. Fantibag exploits networking features to block the infected machine from communicating with anti-virus vendors. The Trojan even blocks access to Microsoft's Windows Update, meaning that victims cannot get help.

Once the shields are down, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker.

Once the three Trojans are installed, the infected computer becomes part of a botnet and can be used in spam runs, distributed denial-of-service attacks or to log keystrokes and steal sensitive personal information.

A botnet is a collection of compromised machines controlled remotely via IRC (Inter Relay Chat) channels.

According to CA's Thompson, the success of the three-pronged attack could signal the end of signature-based virus protection if Trojans immediately disable all means of protection.

"These guys have worked out that they bypass past signature scanners if they tweak their code and then release it quickly. The idea is to hit hard and spread fast, disarm victims and then exploit them," Thompson said in an interview with Ziff Davis Internet News.

He said he thinks the attack, which used virus code from the Bagle family, is the work of a very small group of organized criminals. "There's no doubt in my mind we are dealing with organized crime. The target is to build a botnet or to add to existing ones. Once the botnets reach a certain mass, they are rented out for malicious use."

Full Story.

More in Tux Machines

Red Hat News

  • Red Hat's Results Underscore its Growing Focus on OpenStack
    Late last week, Red Hat reported earnings per share of 55 cents on revenue of $600 million, beating estimates of 54 cents and $590 million, respectively. One thing that went unsaid across much of the coverage is that the company is in the midst of a major shift in its strategy toward OpenStack-based cloud computing, and it looks like service revenues and positive momentum from that effort are starting to arrive. "Our growth was driven in part by expanding our footprint with customers as we closed a record number of deals over $1 million, up approximately 60 percent year-over-year," Red Hat CEO Jim Whitehurst said during his company's earnings call. Seven of the top 30 deals had OpenStack in there, nine had RHEV," Whitehurst said. "We had three OpenStack deals alone that were over $1 million. So I think we're seeing really, really, really good traction there."
  • Red Hat targets $5-b revenue in five years
    Open-source technology firm Red Hat Inc, which hit the $2-billion revenue milestone two quarters ago, is looking to achieve $2.4 billion in FY 2017 and $5 billion in the next five years. The company is betting on India, its second largest operation outside the US, as one of the key growth engines to help achieve its aspirational revenue goal of $5 billion by 2021. “India is a bright spot for Red Hat for three reasons,” Rajesh Rege, Managing Director, Red Hat India, told BusinessLine.
  • Red Hat Announces Ansible Tower App for Splunk, Enabling Intelligence and Automation Enhancements
  • Red Hat’s (RHT) “Outperform” Rating Reiterated at Raymond James Financial Inc.
  • Red Hat Inc. (RHT) PT Raised to $89.00

pump.io Servers Adoption

  • Adopt a pump.io server
    As most of you know, E14N is no longer my main job, and I've been putting my personal time, energy, and money into keeping the pump network up and running. I haven't always done a good job, and some of the nodes have just fallen off the network. I'd like to ask people in the community to start taking over the maintenance and upkeep of these servers.
  • Prodromou: Adopt a pump.io server
    There are currently around 25 servers in the federated network initially started by Prodromou, which does not count other pump.io instances. He notes that one important exception is the identi.ca site, which is significantly larger than the rest, and which he would like to find a trusted non-profit organization to maintain.

Black Lab Linux 8 Beta 3 Released

The development team is pleased to announce the new Beta release of Black Lab Linux 8 – our latest OS offering to bring the best Linux desktop distribution currently on the market. This release moves the kernel and application set away from the prior LTS 14.04 base to the new 16.04 LTS base. Black Lab Linux 8 will showcase 3 desktop environments : MATE, LXDE and GNOME 3. Other improvements include: Full EFI support Kernel 4.4.0-38 LibreOffice 5.2 GNOME Video Rhythmbox Firefox 49 Thunderbird GIMP Full multimedia codec support Read more

Intel Core i7 6800K Benchmarks On Ubuntu + Linux 4.8

While the Core i7 6800K has been available for a few months now, there hadn't been any review on it since Intel hadn't sent out any Broadwell-E samples for Linux testing this time around. However, I did end up finally buying a Core i7 6800K now that the Turbo Boost Max 3.0 support is finally coming together (at first, Intel PR said it wouldn't even be supported on Linux) so that I can run some benchmarks there plus some other interesting items on the horizon for benchmarking. Here are some benchmarks of the i7-6800K from Ubuntu 16.04 LTS with the Linux 4.8 kernel. Read more