A trojan that deletes spyware? - More botnet fun - World record attempt
Anti Spyware Trojan?
As reported by ISC Handler Pat Nolan, a new trojan has been released into the wild that seems to terminate processes and delete files and registry keys known to be associated with adware products. More details are available at http://securityresponse.symantec.com/avcenter/venc/data/downloader.lunii.html
Botnets
We've received reports of a few new botnet infestations of the same critter Deb Hale reported in http://isc.sans.org/diary.php?date=2004-09-25 . Botnets are a perfect example of why you need to know what's normal on your network and what's not. Great job Dan and Mr. Anonymous Senior Analyst. ;)
Speaking of botnets ...
The ISC was alerted to a .jpg image file (thanks Mark!) that had an MS04-028 overflow which caused the machine to download and run an executable, jpeg.exe
jpeg.exe silently installs a service on the PC as well as a registry key to autorun at reboot, then goes out to an IRC site, notifies of the compromise and waits for commands.
Actions have been taken to have the offending site blocked.
AV scan results of jpeg.exe are as follows (from http://www.virustotal.com ):
Antivirus Version Update Result
BitDefender 7.0 10.05.2004 Backdoor.Hackarmy.1.Gen
ClamWin devel-20040922 10.05.2004 -
eTrust-Iris 7.1.194.0 10.04.2004 Backdoor/AZV.Variant
F-Prot 3.15a 10.05.2004 W32/Hackarmy.AJ@bd
Kaspersky 4.0.2.24 10.05.2004 Backdoor.Hackarmy.gen
McAfee 4396 09.29.2004 BackDoor-AZV.gen
NOD32v2 1.884 10.04.2004 probably unknown NewHeur_PE
Norman 5.70.10 09.30.2004 W32/Backdoor
Panda 7.02.00 10.04.2004 Bck/HackArmy.T
Sybari 7.5.1314 10.05.2004 Backdoor.Hackarmy.gen
Symantec 8.0 10.04.2004 -
TrendMicro 7.000 10.04.2004 -
Bellhops and luggage carts and sheets, oh my!
While SANS NS Las Vegas 2004 will remain firmly engraved in many people's memory, it hopefully won't be remembered for the record attempt mentioned previously, that eventually failed. We're happy to report that there were no serious injuries and that all handlers have (apparently) survived unharmed. It should be noted however that the handler attempting the record has not been heard from since just after the attempt when he was seen with several statuesque showgirls. Good luck Tom, wherever you are. ;)
Chris Carboni
Handler on Duty
As reported by ISC Handler Pat Nolan, a new trojan has been released into the wild that seems to terminate processes and delete files and registry keys known to be associated with adware products. More details are available at http://securityresponse.symantec.com/avcenter/venc/data/downloader.lunii.html
Botnets
We've received reports of a few new botnet infestations of the same critter Deb Hale reported in http://isc.sans.org/diary.php?date=2004-09-25 . Botnets are a perfect example of why you need to know what's normal on your network and what's not. Great job Dan and Mr. Anonymous Senior Analyst. ;)
Speaking of botnets ...
The ISC was alerted to a .jpg image file (thanks Mark!) that had an MS04-028 overflow which caused the machine to download and run an executable, jpeg.exe
jpeg.exe silently installs a service on the PC as well as a registry key to autorun at reboot, then goes out to an IRC site, notifies of the compromise and waits for commands.
Actions have been taken to have the offending site blocked.
AV scan results of jpeg.exe are as follows (from http://www.virustotal.com ):
Antivirus Version Update Result
BitDefender 7.0 10.05.2004 Backdoor.Hackarmy.1.Gen
ClamWin devel-20040922 10.05.2004 -
eTrust-Iris 7.1.194.0 10.04.2004 Backdoor/AZV.Variant
F-Prot 3.15a 10.05.2004 W32/Hackarmy.AJ@bd
Kaspersky 4.0.2.24 10.05.2004 Backdoor.Hackarmy.gen
McAfee 4396 09.29.2004 BackDoor-AZV.gen
NOD32v2 1.884 10.04.2004 probably unknown NewHeur_PE
Norman 5.70.10 09.30.2004 W32/Backdoor
Panda 7.02.00 10.04.2004 Bck/HackArmy.T
Sybari 7.5.1314 10.05.2004 Backdoor.Hackarmy.gen
Symantec 8.0 10.04.2004 -
TrendMicro 7.000 10.04.2004 -
Bellhops and luggage carts and sheets, oh my!
While SANS NS Las Vegas 2004 will remain firmly engraved in many people's memory, it hopefully won't be remembered for the record attempt mentioned previously, that eventually failed. We're happy to report that there were no serious injuries and that all handlers have (apparently) survived unharmed. It should be noted however that the handler attempting the record has not been heard from since just after the attempt when he was seen with several statuesque showgirls. Good luck Tom, wherever you are. ;)
Chris Carboni
Handler on Duty
Keywords:
0 comment(s)
×
Diary Archives
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago