Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Malware InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malware

Published: 2005-12-10
Last Updated: 2005-12-11 08:53:07 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
1) One reader has submitted a malware which after running through VirusTotal detected it as a Linux backdoor:
Ikarus    0.2.59.0    12.10.2005    Backdoor.Perl.Whoredoor.08
Kaspersky    4.0.2.24    12.10.2005    Rootkit.Linux.Matrics.sk
McAfee    4647    12.09.2005    Linux/BackDoor

2) On another note, Juha-Matti has pointed out an interesting Trojan.Spaxe. The interesting part is that it will display a balloon message, attempting to fake from the Windows Automatic Updates icon on the System Tray, with the following text:

Body:
"Your computer is infected!
Windows has detected spyware infection.

It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most up-to-date antispyware for you.

Click here to protect your computer from spyware."

Clicking on the balloon will result in downloading a file from the Internet.

3) You may have read from news that there will be a Sober worm attack on 5 Jan 06. This is due to the pre-programmed date of current Sober variant to activate on 5 Jan 06. The interesting part is that the Sober variant has the intelligence to create pseudorandom URLs which will change based on date. It also can synchronize the systems via atom clocks so that it does not matter even if the system clock is not correct. F-Secure has come out a list of URLs that you may want to block. You can read the details from F-Secure nice writeup.

[Update to (3)]
On another note, LURHQ has a writeup on the key dates in the various Sober variants. It mentioned that the Sober.Y activation date should be after 5 Jan 06. The logic is "current date > Jan 5" and not "current date == Jan 5". Thanks to Dominic for pointing out. 
Keywords:
0 comment(s)
Diary Archives