Language Selection

English French German Italian Portuguese Spanish

Triple-Barreled Trojan Attack Builds Botnets

Filed under
Security

Anti-virus researchers are sounding the alert for a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets-for-hire.

The three-pronged attack is being described as "unprecedented" because of the way the Trojans communicate with each other to infect a machine, disable anti-virus software and leave a back door open for future malicious use.

"This is so slick, it's scary," said Roger Thompson, director of malicious content research at Computer Associates International Inc. "It clearly points to a very well-organized group either replenishing existing botnets or creating new ones."

According to Thompson, the wave of attacks start with Win32.Glieder.AK, dubbed Glieder, a Trojan that downloads and executes arbitrary files from a long, hardcoded list of URLs.

Glieder's job is to sneak past anti-virus protection before definition signatures could be created and "seed" the infected machine for future use. At least eight variants of Glieder were unleashed on one day, wreaking havoc across the Internet.

On Windows 2000 and Windows XP machines, Glieder.AK attempts to stop and disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2.

The Trojan then quickly attempts to connect to a list of URLs to download Win32.Fantibag.A (Fantibag) to spawn the second wave of attacks.

With Fantibag on the compromised machine, Thompson said the attackers can ensure that anti-virus and other protection software is shut off. Fantibag exploits networking features to block the infected machine from communicating with anti-virus vendors. The Trojan even blocks access to Microsoft's Windows Update, meaning that victims cannot get help.

Once the shields are down, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker.

Once the three Trojans are installed, the infected computer becomes part of a botnet and can be used in spam runs, distributed denial-of-service attacks or to log keystrokes and steal sensitive personal information.

A botnet is a collection of compromised machines controlled remotely via IRC (Inter Relay Chat) channels.

According to CA's Thompson, the success of the three-pronged attack could signal the end of signature-based virus protection if Trojans immediately disable all means of protection.

"These guys have worked out that they bypass past signature scanners if they tweak their code and then release it quickly. The idea is to hit hard and spread fast, disarm victims and then exploit them," Thompson said in an interview with Ziff Davis Internet News.

He said he thinks the attack, which used virus code from the Bagle family, is the work of a very small group of organized criminals. "There's no doubt in my mind we are dealing with organized crime. The target is to build a botnet or to add to existing ones. Once the botnets reach a certain mass, they are rented out for malicious use."

Full Story.

More in Tux Machines

elementary OS "Freya" Finally Gets Custom Keyboard Shortcuts

elementary OS "Freya" has been out for some time now, but developers are still adding features to it despite the fact that it has been dubbed stable. Now, users have the option to define custom keyboard shortcuts, which was a very sought after feature. Read more

A Linux proud history – 15 years ago and the Brazilian ATM

The history i want to share with you is how that “marble Tux” happens. Yes, it was a production machine that you see in the picture and was running in every place in Brazil for at least 10 years. So, a 25 years old boy, in this case me, the guy typing now, who was working in a ILOG graphical toolkit partner suddenly decide to look for Linux jobs, it was out of university for 1 year, but was already infected for the open source and Linux for more than 3 years, and thought it can be done. Read more

OPNFV Project Gets Backing from EMC & VMware

The open source platform for Network Functions Virtualization (NFV), OPNFV Project, has received major backing from EMC and VMware. EMC joins as a Platinum member, along with others such as AT&T, Brocade, China Mobile, Cisco, Dell, Ericsson, HP, Huawei, IBM, Intel, Juniper Networks, NEC, Nokia Networks, DOCOMO, Red Hat, Telecom Italia, Vodafone and ZTE. VMware joins as a Silver member. Read more

Leftovers: GNOME Software

  • Let’s contribute Peru with GNOME
    After that Cesar Fabian started the code contribution part, because all of them were interested in GNOME developer technologies. We started with glib, based on the GLIB Website. He explained us that Glib is a GNOME library written in C. We did a couple of examples: Hello Word and Lists of Fruits, using glist. Glists are linked lists that use the type void *. It was also explained values and basic types like gboleean where ONE represents TRUE and the rest of values are FALSE .
  • GNOME 3.18 to Drop Support for Yahoo!, Foursquare Will be Enabled by Default
    Debarshi Ray, a renown GNOME developer, announced the immediate availability for download and testing of a new development release of the GNOME Online Accounts component of the upcoming GNOME 3.18 desktop environment.
  • GNOME Disk Utility 3.17.2 Fixes Benchmarking of Disks on 32-Bit Architectures
    The GNOME Project is hard at work these days preparing for the release of the second milestone of the upcoming GNOME 3.18 desktop environment, due for release later this year on September 23.