Language Selection

English French German Italian Portuguese Spanish

Triple-Barreled Trojan Attack Builds Botnets

Filed under

Anti-virus researchers are sounding the alert for a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets-for-hire.

The three-pronged attack is being described as "unprecedented" because of the way the Trojans communicate with each other to infect a machine, disable anti-virus software and leave a back door open for future malicious use.

"This is so slick, it's scary," said Roger Thompson, director of malicious content research at Computer Associates International Inc. "It clearly points to a very well-organized group either replenishing existing botnets or creating new ones."

According to Thompson, the wave of attacks start with Win32.Glieder.AK, dubbed Glieder, a Trojan that downloads and executes arbitrary files from a long, hardcoded list of URLs.

Glieder's job is to sneak past anti-virus protection before definition signatures could be created and "seed" the infected machine for future use. At least eight variants of Glieder were unleashed on one day, wreaking havoc across the Internet.

On Windows 2000 and Windows XP machines, Glieder.AK attempts to stop and disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2.

The Trojan then quickly attempts to connect to a list of URLs to download Win32.Fantibag.A (Fantibag) to spawn the second wave of attacks.

With Fantibag on the compromised machine, Thompson said the attackers can ensure that anti-virus and other protection software is shut off. Fantibag exploits networking features to block the infected machine from communicating with anti-virus vendors. The Trojan even blocks access to Microsoft's Windows Update, meaning that victims cannot get help.

Once the shields are down, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker.

Once the three Trojans are installed, the infected computer becomes part of a botnet and can be used in spam runs, distributed denial-of-service attacks or to log keystrokes and steal sensitive personal information.

A botnet is a collection of compromised machines controlled remotely via IRC (Inter Relay Chat) channels.

According to CA's Thompson, the success of the three-pronged attack could signal the end of signature-based virus protection if Trojans immediately disable all means of protection.

"These guys have worked out that they bypass past signature scanners if they tweak their code and then release it quickly. The idea is to hit hard and spread fast, disarm victims and then exploit them," Thompson said in an interview with Ziff Davis Internet News.

He said he thinks the attack, which used virus code from the Bagle family, is the work of a very small group of organized criminals. "There's no doubt in my mind we are dealing with organized crime. The target is to build a botnet or to add to existing ones. Once the botnets reach a certain mass, they are rented out for malicious use."

Full Story.

More in Tux Machines

today's leftovers

  • Zorin OS 12.3 Linux Distro Released: Download The Perfect Windows Replacement
    While listing out the best distros for a Linux beginner, the ease of use and installation are the most critical factors. Such qualities make distros like Linux Mint, Ubuntu, and Zorin OS the most recommended options. In case you’re also concerned about your privacy and security, a shift to the world of Linux becomes a more obvious option. Calling itself a replacement for Windows and macOS, Zorin OS has been established as a beginner-friendly option that offers a smooth ride while making the transition. The latest Zorin OS 12.3 release works to strengthen the basics of the operating system and polishes the whole experience.
  • Ramblings about long ago and far away
    I had originally run MCC (Manchester Computer Center Interim Linux) in college but when I moved it was easier to find a box of floppies with SLS so I had installed that on the 486. I would then download software source code from the internet and rebuild it for my own use using all the extra flags I could find in GCC to make my 20Mhz system seem faster. I instead learned that most of the options didn't do anything on i386 Linux at the time and most of my reports about it were probably met by eye-rolls with the people at Cygnus. My supposed goal was to try and set up a MUD so I could code up a text based virtual reality. Or to get a war game called Conquer working on Linux. Or maybe get xTrek working on my system. [I think I mostly was trying to become a game developer by just building stuff versus actually coding stuff. I cave-man debugged a lot of things using stuff I had learned in FORTRAN but it wasn't actually making new things.]
  • EzeeLinux Show 18.13 | Running Linux On Junk
    A talk about the advantages of running Linux on junk hardware.
  • Best 50 HD Wallpapers for Ubuntu
    Wallpapers are useful in many ways depending on the visual it contains for example if there is a motivational quote on it, it helps to motivate you. The images are the best type of wallpaper because they have an impact on the mind of a human being. So if you are a working professional and have to work continuously on a computer then your desktop cab be a source of inspiration and happiness. So today we are going to share 50 best HD Wallpapers for your Ubuntu which will keep your desktop fresh.
  • Ubuntu Tried Adding Synaptics Support Back To GNOME's Mutter
    GNOME developers previously dropped support for Synaptics and other input drivers from Mutter in favor of the universal libinput stack that is also Wayland-friendly. Canonical developers tried to get Synaptics support on X11 added back into Mutter but it looks clear now that was rejected. Canonical's Will Cooke reported in this week's Ubuntu happenings that they were trying to add upstream support for Synaptics to Mutter, complementing the libinput support. While it's great Canonical trying to contribute upstream to GNOME, Synaptics support was previously dropped as being a maintenance burden and with libinput support getting into rather good shape.
  • Long live Release Engineering
    y involvement in Fedora goes back to late 2003 early 2004 somewhere as a packager for I started by getting a few packages in to scratch some of my itches and I saw it as a way to give back to the greater open source community. Around FC3 somewhere I stepped up to help in infrastructure to rebuild the builders in plague, the build system we used before koji and that we used for EPEL(Something that I helped form) for awhile until we got external repo support in koji. I was involved in the implementation of koji in Fedora, I joined OLPC as a build and release engineer, where I oversaw a move of the OS they shipped from FC6 to F8, and laid a foundation for the move to F9. I left OLPC when Red Hat opensourced RHN Satellite as “spacewalk project” I joined Red Hat as the release engineer for both, after a brief period there was some reorganisation in engineering that resulted in me handing off the release engineering tasks to someone closer the the engineers working on the code. As a result I worked on Fedora full time helping Jesse Keating. When he decided to work on the internal migration from CVS to git I took over as the lead. [...] Recently I have accepted a Job offer to become the manager of a different team inside of Red Hat.

Linux 4.17 Spring Cleaning To Drop Some Old CPU Architectures and Recent Torvalds Interview

  • Linux 4.17 Spring Cleaning To Drop Some Old CPU Architectures
    Longtime Linux kernel developer Arnd Bergmann is working to drop a number of old and obsolete CPU architectures from the next kernel cycle, Linux 4.17. The obsolete CPU architectures set to be removed include Blackfin, CRIS, FR-V, M32R, MN10300, META (Metag), and TILE. Managing to escape its death sentence is the Unicore32 architecture with its port maintainer claiming it's still actively being used and maintained.
  • [Older] Linus Torvalds Interview by Kristaps

    Interviewer: we all know who Linus is, but not many people know he’s also a proficient diver. Why don’t we start at the beginning: where you first started diving, and when you started to take diving seriously.  

    Actually, it was related to open source, in some way. [...]

Software: KDE, DocKnot and More

  • This week in Usability & Productivity, part 10
    Today’s Usability & Productivity status is jam-packed with awesome stuff that I think you’re all really gonna love.
  • DocKnot 1.03
    This is the software that I use to generate documentation for my software. Currently, it just handles README,, and the top-level web page for the package.
  • Linux Release Roundup: Amarok Sees First Release in 3 Years
    The past 7 days have been pretty dang busy in Linux release land. We’ve taken a look at the best GNOME 3.28 features, recapped the latest Firefox 59 changes, and made ourselves comfortable with the latest changes to Linux audiobook player Cozy.

today's howtos/technical