Language Selection

English French German Italian Portuguese Spanish

Triple-Barreled Trojan Attack Builds Botnets

Filed under
Security

Anti-virus researchers are sounding the alert for a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets-for-hire.

The three-pronged attack is being described as "unprecedented" because of the way the Trojans communicate with each other to infect a machine, disable anti-virus software and leave a back door open for future malicious use.

"This is so slick, it's scary," said Roger Thompson, director of malicious content research at Computer Associates International Inc. "It clearly points to a very well-organized group either replenishing existing botnets or creating new ones."

According to Thompson, the wave of attacks start with Win32.Glieder.AK, dubbed Glieder, a Trojan that downloads and executes arbitrary files from a long, hardcoded list of URLs.

Glieder's job is to sneak past anti-virus protection before definition signatures could be created and "seed" the infected machine for future use. At least eight variants of Glieder were unleashed on one day, wreaking havoc across the Internet.

On Windows 2000 and Windows XP machines, Glieder.AK attempts to stop and disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2.

The Trojan then quickly attempts to connect to a list of URLs to download Win32.Fantibag.A (Fantibag) to spawn the second wave of attacks.

With Fantibag on the compromised machine, Thompson said the attackers can ensure that anti-virus and other protection software is shut off. Fantibag exploits networking features to block the infected machine from communicating with anti-virus vendors. The Trojan even blocks access to Microsoft's Windows Update, meaning that victims cannot get help.

Once the shields are down, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker.

Once the three Trojans are installed, the infected computer becomes part of a botnet and can be used in spam runs, distributed denial-of-service attacks or to log keystrokes and steal sensitive personal information.

A botnet is a collection of compromised machines controlled remotely via IRC (Inter Relay Chat) channels.

According to CA's Thompson, the success of the three-pronged attack could signal the end of signature-based virus protection if Trojans immediately disable all means of protection.

"These guys have worked out that they bypass past signature scanners if they tweak their code and then release it quickly. The idea is to hit hard and spread fast, disarm victims and then exploit them," Thompson said in an interview with Ziff Davis Internet News.

He said he thinks the attack, which used virus code from the Bagle family, is the work of a very small group of organized criminals. "There's no doubt in my mind we are dealing with organized crime. The target is to build a botnet or to add to existing ones. Once the botnets reach a certain mass, they are rented out for malicious use."

Full Story.

More in Tux Machines

Debian and Derivatives

  • Glad to be a Mentor of Google Summer Code again!
    While, why I proposed this idea? Plinth is developed by Freedombox which is a Debian based project. The Freedombox is aiming for building a 100% free software self-hosting web server to deploy social applications on small machines. It provides online communication tools respecting user privacy and data ownership, replacing services provided by third-parties that under surveillance. Plinth is the front-end of Freedombox, written in Python.
  • The #newinstretch game: new forensic packages in Debian/stretch
    Debian/stretch AKA Debian 9.0 will include a bunch of packages for people interested in digital forensics. The packages maintained within the Debian Forensics team which are new in the Debian/stretch release as compared to Debian/jessie (and ignoring jessie-backports):
  • Getting ready for Stretch
    I run about 17 servers. Of those about six are very personal and the rest are a small cluster which are used for a single website. (Partly because the code is old and in some ways a bit badly designed, partly because "clustering!", "high availability!", "learning!", "fun!" - seriously I had a lot of fun putting together a fault-tolerant deployment with haproxy, ucarp, etc, etc. If I were paying for it the site would be both retired and static!)
  • Devuan Jessie 1.0.0 stable release (LTS)
    Once again the Veteran Unix Admins salute you! Many of you might remember November 2014 when we announced that we were going to fork Debian. Well, we have done exactly that. It has been a long process, but now over two years later, we proudly present Devuan Jessie 1.0.0 Stable.
  • Parsix GNU/Linux Is Closing Its Doors, All Users Will Be Migrated to Debian 9
    You know we hate to give you guys bad news, but it looks like the Parsix GNU/Linux project is closing its doors in about six months after the release of the Debian GNU/Linux 9 "Stretch" operating system.

OSS Leftovers

Ubuntu-Based Alternatives and Snapcraft 2.30

  • ​How to install Linux Mint on your Windows PC
    I think Linux Mint isn't just a great desktop, it's a great replacement for Windows. With Windows security problems such as WannaCry, people are starting to explore alternatives to Windows. I got a number of requests about switching out from Windows to the latest and best Linux. For me and many other experienced Linux users that's Linux Mint 18.1. You don't need to be a Linux expert to install Mint on a Windows PC. Here's how to do it.
  • Distro watch for Ubuntu lovers: What's ahead in Linux land
    With the death of Unity, Canonical will focus more attention on Ubuntu servers, Ubuntu in the cloud and Ubuntu in the so-called Internet of Things. Even if you give Canonical the benefit of the doubt - that it will continue working on desktop Ubuntu - at the very least, desktop Ubuntu's future looks uncertain. Post Unity, how will the transition to GNOME work? Will existing Unity users be "upgraded" to GNOME with 17.10? Canonical is reportedly plotting out solutions to much of this uncertainty right now, but for users, the uncertainty rules the day.
  • Canonical Releases Snapcraft 2.30 Snappy Packaging Tool for Ubuntu Linux OSes
    Canonical's Sergio Schvezov was proud to announce the release and immediate availability of Snapcraft 2.30, a major milestone of the open-source Snappy packaging tool used to package apps in the Snap universal binary format.

An introduction to Linux's EXT4 filesystem

Although written for Linux, the EXT filesystem has its roots in the Minix operating system and the Minix filesystem, which predate Linux by about five years, being first released in 1987. Understanding the EXT4 filesystem is much easier if we look at the history and technical evolution of the EXT filesystem family from its Minix roots. Read more