Language Selection

English French German Italian Portuguese Spanish

Triple-Barreled Trojan Attack Builds Botnets

Filed under
Security

Anti-virus researchers are sounding the alert for a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets-for-hire.

The three-pronged attack is being described as "unprecedented" because of the way the Trojans communicate with each other to infect a machine, disable anti-virus software and leave a back door open for future malicious use.

"This is so slick, it's scary," said Roger Thompson, director of malicious content research at Computer Associates International Inc. "It clearly points to a very well-organized group either replenishing existing botnets or creating new ones."

According to Thompson, the wave of attacks start with Win32.Glieder.AK, dubbed Glieder, a Trojan that downloads and executes arbitrary files from a long, hardcoded list of URLs.

Glieder's job is to sneak past anti-virus protection before definition signatures could be created and "seed" the infected machine for future use. At least eight variants of Glieder were unleashed on one day, wreaking havoc across the Internet.

On Windows 2000 and Windows XP machines, Glieder.AK attempts to stop and disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2.

The Trojan then quickly attempts to connect to a list of URLs to download Win32.Fantibag.A (Fantibag) to spawn the second wave of attacks.

With Fantibag on the compromised machine, Thompson said the attackers can ensure that anti-virus and other protection software is shut off. Fantibag exploits networking features to block the infected machine from communicating with anti-virus vendors. The Trojan even blocks access to Microsoft's Windows Update, meaning that victims cannot get help.

Once the shields are down, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker.

Once the three Trojans are installed, the infected computer becomes part of a botnet and can be used in spam runs, distributed denial-of-service attacks or to log keystrokes and steal sensitive personal information.

A botnet is a collection of compromised machines controlled remotely via IRC (Inter Relay Chat) channels.

According to CA's Thompson, the success of the three-pronged attack could signal the end of signature-based virus protection if Trojans immediately disable all means of protection.

"These guys have worked out that they bypass past signature scanners if they tweak their code and then release it quickly. The idea is to hit hard and spread fast, disarm victims and then exploit them," Thompson said in an interview with Ziff Davis Internet News.

He said he thinks the attack, which used virus code from the Bagle family, is the work of a very small group of organized criminals. "There's no doubt in my mind we are dealing with organized crime. The target is to build a botnet or to add to existing ones. Once the botnets reach a certain mass, they are rented out for malicious use."

Full Story.

More in Tux Machines

Phoronix Benchmarks

Leftovers: Software

  • Are you Struggling With Finding Text In Files Or Locating Files? Try 'Recoll' Program In Linux
    Recoll is a full text search QT based free, open source program especially made for Unix-like and Linux but it is also available for Windows and Mac systems, licensed under GPL. It provides efficient desktop full text search from single-word to arbitrarily complex boolean searches, basically it indexes the documents data (along with their compressed versions) and huge number of files then let you find quickly whatever you search for. Recoll updates its index at designed intervals (for example through Cron tasks) but if desired, the indexing task can run as a file-system monitoring daemon for real-time index updates.
  • New Inkscape 0.92 breaks your previous works done with Inkscape
    I hope this type of blog-post will shake the mindset a bit, and make developers more serious about compatibility. The users shouldn't be prompted with a dialog with jargon. The artwork or rendering shouldn't be broken. Inkscape should do the auto-conversion to keep the artwork as it was (especially because the software can). Isn't it the task of Inkscape to be able to read SVG? to properly read itself? I hope a version 0.92.x will happens and solve this serious bug [1] . For those who have been following my work for the last ten years, I like to promote the release of new Free/Libre and Open-Sources Software versions. It costs me a lot emotionally and in production-time to have to make this type of blog-post against a project I love. But what else can I do?
  • Ardour + Cinelerra + 4 Cams + Heavy Blues
  • Albert Quick Launcher 0.9.0 Released With External Extensions Support
    Albert is a quick launcher for Linux inspired by Alfred (Mac). It can be used to run applications, open files, search the web, open bookmarks in your web browser, calculate math expressions, and more.
  • MKVToolNix 9.8.0 Open-Source MKV Manipulation App Adds Support for DVB Subtitles
    Moritz Bunkus released today, January 22, 2017, a new stable release of his popular, multiplatform, and open-source MKV (Matroska) manipulation utility for all supported platforms, including GNU/Linux, macOS, and Microsoft Windows. There are bunch of exciting new features added in the new MKVToolNix 9.8.0 release, which comes three weeks after the previous version, namely MKVToolNix 9.7.1, but first we'd like to inform package maintainers about an important change in the build system as parallel builds are now enabled by default.
  • Libvirt 3.0 Released With Various Improvements
    The libvirt virtualization API saw a major 3.0 release this week to succeed its earlier v2.5 milestone.
  • 5 Highly Promising Terminal Emulators
    The terminal emulator is a venerable but essential tool for computer users. The reason why Linux offers so much power is due to the command line. The Linux shell can do so much, and this power can be accessed on the desktop by using a terminal emulator. There are so many available for Linux that the choice is bewildering.
  • What Spotify Takes Away, the Open-Source Community Brings Back…
    One of my favourite bands has just released a new album, which means I now have 11 new songs to learn the words to before I go see them play next!
  • Skype for Linux Alpha Video Call Support Begins ‘Rollout’

today's howtos

Wine Staging 2.0 RC6