Language Selection

English French German Italian Portuguese Spanish

Triple-Barreled Trojan Attack Builds Botnets

Filed under
Security

Anti-virus researchers are sounding the alert for a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets-for-hire.

The three-pronged attack is being described as "unprecedented" because of the way the Trojans communicate with each other to infect a machine, disable anti-virus software and leave a back door open for future malicious use.

"This is so slick, it's scary," said Roger Thompson, director of malicious content research at Computer Associates International Inc. "It clearly points to a very well-organized group either replenishing existing botnets or creating new ones."

According to Thompson, the wave of attacks start with Win32.Glieder.AK, dubbed Glieder, a Trojan that downloads and executes arbitrary files from a long, hardcoded list of URLs.

Glieder's job is to sneak past anti-virus protection before definition signatures could be created and "seed" the infected machine for future use. At least eight variants of Glieder were unleashed on one day, wreaking havoc across the Internet.

On Windows 2000 and Windows XP machines, Glieder.AK attempts to stop and disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2.

The Trojan then quickly attempts to connect to a list of URLs to download Win32.Fantibag.A (Fantibag) to spawn the second wave of attacks.

With Fantibag on the compromised machine, Thompson said the attackers can ensure that anti-virus and other protection software is shut off. Fantibag exploits networking features to block the infected machine from communicating with anti-virus vendors. The Trojan even blocks access to Microsoft's Windows Update, meaning that victims cannot get help.

Once the shields are down, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker.

Once the three Trojans are installed, the infected computer becomes part of a botnet and can be used in spam runs, distributed denial-of-service attacks or to log keystrokes and steal sensitive personal information.

A botnet is a collection of compromised machines controlled remotely via IRC (Inter Relay Chat) channels.

According to CA's Thompson, the success of the three-pronged attack could signal the end of signature-based virus protection if Trojans immediately disable all means of protection.

"These guys have worked out that they bypass past signature scanners if they tweak their code and then release it quickly. The idea is to hit hard and spread fast, disarm victims and then exploit them," Thompson said in an interview with Ziff Davis Internet News.

He said he thinks the attack, which used virus code from the Bagle family, is the work of a very small group of organized criminals. "There's no doubt in my mind we are dealing with organized crime. The target is to build a botnet or to add to existing ones. Once the botnets reach a certain mass, they are rented out for malicious use."

Full Story.

More in Tux Machines

Linux Mint Debian Might Not Adopt Systemd

The Linux Mint team has ended 2014 in force with a great Linux Mint 17.1 "Rebecca" release, for both the MATE and Cinnamon desktop, but it looks like the Debian edition is also going to be interesting. Read more

Latest SteamOS Update Brings New NVIDIA and AMD Drivers

SteamOS, a Linux distribution based on Debian and developed by Valve that aims to provide the best gaming experience, has been updated by its makers and a new Beta version has been released. Read more

Your Old Computer Can Live Again with Emmabuntüs 2

Emmabuntüs 2 1.09, a distribution created for reconditioning old computers and relying on the robustness of Xubuntu 12.04.5 LTS, has been released and is now ready for download. The Emmabuntüs developers only use LTS editions of Xubuntu, and that means they actually have two distros out right now that are maintained and improved. We had Emmabuntüs 3 1.0 released a few weeks ago, but that one was using Xubuntu 14.04 LTS as the base. Now, the old branch based on Xubuntu 12.04, Emmabuntüs 2, has been improved as well and the devs have made quite a few changes. Read more

11 years developing Krita

Back in 2003 Krita had never been released and the application was only able to do some very crude painting. I think the main reason that I started contributing to Krita back then was that I was much more comfortable with the single window UI and the fact that it used Qt/KDE and C++. In the early days I would never have imagined that I would be still with the project after 10+ years and how big the project is now. Even that the project exists today is a miracle and result of many developers putting in effort without ever knowing how it would develop. For the first few years we had almost no users and the users that we had were die-hard KDE users. At the time that wasn’t a bad thing as it allowed us to do some radical changes and experiments. Many features that were developed during this time still provide the base for the current Krita. Read more