Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Triple-Barreled Trojan Attack Builds Botnets



 By: Ryan Naraine
2005-06-04
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Triple-Barreled Trojan Attack Builds Botnets
  2. ' Spyware '

Rate This Article:
Poor Best
Triple-Barreled Trojan Attack Builds Botnets
( Page 1 of 2 )

Updated: Anti-virus experts have detected signs of a massive, well-coordinated Trojan attack capable of creating botnets-for-hire. Is it the work of organized crime?Anti-virus researchers are sounding the alert for a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets-for-hire.

The three-pronged attack is being described as "unprecedented" because of the way the Trojans communicate with each other to infect a machine, disable anti-virus software and leave a back door open for future malicious use.

"This is so slick, its scary," said Roger Thompson, director of malicious content research at Computer Associates International Inc. "It clearly points to a very well-organized group either replenishing existing botnets or creating new ones."

According to Thompson, the wave of attacks start with Win32.Glieder.AK, dubbed Glieder, a Trojan that downloads and executes arbitrary files from a long, hardcoded list of URLs.

Resource Library:

Glieders job is to sneak past anti-virus protection before definition signatures could be created and "seed" the infected machine for future use. At least eight variants of Glieder were unleashed on one day, wreaking havoc across the Internet.

On Windows 2000 and Windows XP machines, Glieder.AK attempts to stop and disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2.

The Trojan then quickly attempts to connect to a list of URLs to download Win32.Fantibag.A (Fantibag) to spawn the second wave of attacks.

With Fantibag on the compromised machine, Thompson said the attackers can ensure that anti-virus and other protection software is shut off. Fantibag exploits networking features to block the infected machine from communicating with anti-virus vendors. The Trojan even blocks access to Microsofts Windows Update, meaning that victims cannot get help.

Once the shields are down, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker.

Once the three Trojans are installed, the infected computer becomes part of a botnet and can be used in spam runs, distributed denial-of-service attacks or to log keystrokes and steal sensitive personal information.

A botnet is a collection of compromised machines controlled remotely via IRC (Inter Relay Chat) channels.

According to CAs Thompson, the success of the three-pronged attack could signal the end of signature-based virus protection if Trojans immediately disable all means of protection.

"These guys have worked out that they bypass past signature scanners if they tweak their code and then release it quickly. The idea is to hit hard and spread fast, disarm victims and then exploit them," Thompson said in an interview with Ziff Davis Internet News.

He said he thinks the attack, which used virus code from the Bagle family, is the work of a very small group of organized criminals. "Theres no doubt in my mind we are dealing with organized crime. The target is to build a botnet or to add to existing ones. Once the botnets reach a certain mass, they are rented out for malicious use."

"Theres a black market for infected computers. The bigger your botnet, the more money you can make," Thompson said. He said researchers tracking underground hacker activity had seen a price tag of about 5 cents per infected machine.

Next Page: The spyware connection.





  Reader Comments: Triple-Barreled Trojan Attack Builds Botnets
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}vH9NcO[6.3e]Rj I# T;KU~]ݶ!/oy$ KtsL.-mfPZCuf$5wv޼y)C~5oer442 Qa໭h]1Ȩi74wGEr޼w A:|@vD Qlէc:j#+SeL]FXe .h65bI@#T9כ$)qDc].y}D~h?2tNGI~yT$Ng )9*F4H!;^6v 5ya_!E0KMwmCaw@SR(v2%v!6^;52ș=Qz$ѨdXc+={$-,v2Nb ӡeh1e8r tuU˰J@B-hfLu8bW1%:(ֳ-ӵQ7@1 )<Tq$le$o*!lpi#B9y0'BmitQV_ս7PQƎ53#2s݉],Fx TmO |l5ŝPx>zFUQ<2}ġFr$ˊӬhw9zjՋrXA0pX7߉*Ԭ٣SeTkNmo?ֻW b>xٻ_gQPww@amQX*P\vNnY\u?/.-N |++ɿ+0Q\&**R>2 A:1j`%rM7JAqw-bX/.f1ێRd!XI#/Y !2q}?-~k~>CY6f0CZ-* Ń2ؕ֊gx]:nNo9n;W9ސIٚ9NTp3SZk!vO|wSS&sa%jCyiM&Ժx|9!IoK'|?%//!}G1]br*C2Q/,g,oGUEj4O˰n.G\]d8[r* ߲n^S3C7mDZPEÿ!G/$L.Fh-Aho *K(Lr &@Sk~$M -mΚb.L2g<-^T—V(_. jJ|*Gٛ"C;z>6iFR}Gs$AA64^LK\u>'ݠäpV85|u@߶҇u!ӧԵ!FRAтMd9.tWT ]]wL29lPC(u,#2s)d@]90lPlr2 0j3hSP|+sZ( _ Ч dPJJyISC!-i]R@Az6< -Y,rr< "a|GBŅA .<BIڹLX>٣XB YX/_"23}CĦɸ󓪪"7r.G _3-MDlyp|Ө7=K9bi]yg,`bxT%\Ew,Ofرp=7yAC<ݴY=%st0fXfZ1kwoBaŲ@s2QiҴyJS݄DW'$pTDhiL˄|&6=gUlЩ#Kt;2a|d N򶷛=g:.QΟjWuϙܑ ݼ[1 e jJ=Us A|5 i!SL&Ze <<>GGy^ʒtɕ\=P/SVcX`Dahtzb0m/nD)hMaࡇV|\vTgKRZr$^KI8goiXZ P.틟eq b-+,:V(/Q|$АTumsiŰ,B /0:ĸM̆ѣEaԆTX>m ,🅢\*l#Sad$V+j86k\[`CaPeܡɃ$X{3Q_؊-2qz6<:uN,ȃc%َ`ۉ2G>`Ӄ )b!,{b!N)2A߰ TXzR Bd36-F z+_`ˀ eK,&}gn3rt]Z|j늹:_, {gaWjI 7}4J'MM8`;D#?aN4S H7`$¿w{52R _φrT(Gi?怚H|A2,e,g6FaXA5ٜsFi6z er3h`9hK™>j1| paH@G3usSEqK<#ؒG~nR5ư" D\MJe [L֥L56$!W6nR>_0C)Xk;0]8D z#A#Ez .2 J%0 h e! r)\QTpEH}Vt[T.E^nvV KtLS`zT9BQ7ߏ90gted-ͧ IZ+jՐzr+BZ?(TU 3蛹*(Si\ |s`Ξn:еFKt98 _t >ȵ2g>t0jV7aE>yL vHj!(|]J~ $}TleAkb`𣨰¹ӽ`]Y MttoBE 0IMkYԽCwnOTW5wԀ@\0+9!g kݦe ֟Cj6F1>Lk}(䫇R}6f/joҩmhDр(dQ@C-dY \q?ڸľX{XBpl 6͐*s@WIeF 24N{]NOͯ4>3;}&mnf]{mxUpbX3-GP͕GXUl  4OpomAW%E:e˨W6l&Dh~zX,GP`xht4J,FvМA]_c+7 `Mmg_;,`M 2 \+S1nxf˧ ycj CsZ#<;S0\m>w6EbM HkzŎr {Q> ?xct_^Vڲf6r%b "X:Ks\zKdD":+s%"wdV^x%Ex UqIvnh`><} {6*h"m\d?'̅B.uMq]C0AX(ա\' *|tXg$,2 e,tZ<&QRsSA`;pf-<9t3=r3=q1ʅHgkgn *ZODu4a2쬨"![ySb] Q/F?W$Btc?7Gs`LI4w=!-!G.~)*{.oFE.]%.(q-@jhyAœJ"L.J`Ukyr^f} $~fH?wV!bi0V5Tk+2wLmOyDzm[}󎶛Qxg,d AX9z-s!Vg'9@SQd=hl?|nwcJljl 4QBhuWq]٠h2"k#ì§!qZ'D$jwl['/G'o-:XQ|=L8S{C4/ kM濫n~gbƚkKLBIqIM{fr?&( ۡ#V̢%K,-1pMtw/˗٨CƥS݄U{ZRr(.hPYJζLO>ΌSg_/π͜{:ǃQ>Qv/B1lUšWE8r6P< 7 Á~/N:GD$?O}_ D!gs㙮q&,5 ?:Sț옛3zM¯S|{i2x Y`d[1[Hچ@< :\~oJ1 rx^ D6)8f;i)ZAI7(,#cq\#,;HL2ٛEɂ )p~_:(f`i{ mu!w/O1߸~<H^H ssA[-@Z5M\bW*llN!'pr2e}tHuؐ`稇a}@2 rYvۆ1q%{LINJ%x?r=YD^~>G2^[umàpXn_W Pk/l:\[+R!/*{ UAnɀCp)΀ber.=w"3I87bRUDlAv8X0U\E' V2^|b\Wb+v^)HŃMՒI=SҒQ7)X%cL^˛oz33ڸU 3e|y\Ԍk}m Z>FhLvLtL+/>a聾cؔڂ1b@q؇%(_ z|$D2ǁV/xy|<ޖ-nʊg>H_ Lo.2j|_,Q̈́mG&6V0U;xWMİ\Z|fөRĢNHap8lGnnU|+Jy0+l1 s$%xSixRH k,}\?g' vo(ƅ="AuW':l`dtWQEW^|E;_), 4z-VyPED z6"dܨ؆\zAnR{N% ׶si~tQn*c/2 +aae lnVnÑ~yWÉe % .uWR9Í\lͤKe8O"bA+G<|߻IhxC;>x) ^d͗!_܃+ 80"] H%i%Du0 }3zw醨67,ᠿODWX4w`S>RHRe AjOmÚSOX "4gteA{jJp="y`#$h=|6?r`4D!TF2WAA1J'닓7dk82 3/Kr]gW43LRO fA@KbPxgR-8C3lȅ/[:i9ǝ(,<dֵ AjDT#wgE3a\W"ɽ&xVe-Gf0̇`W"K tVLB F27~'b#Q3)盹gz(}XwDwi`%sE&B }\9 !||6ڛܴ7s7(˙+`g5XSª!n7 "\[35fx;=*?=7`3Kފ^ZU3|6D/ӿv_3J`zwFŷQ4,?k"۟B-[1oe{")WC/c,'N73b@Pq #%(DSsha#ufr*2{ibf7ioaaql; 4b0H1v16bsԺKrYxVZ^ٵSenC @ghIY'.DI0ƱjS&y+ Ȕ3R >A-'gZ,g<,93zνkyj󨟰n_Wq~f1,V-&+"`| c[hO/Z>))fl1DKb\Gj ų Tu`jSR-7UTb?R{*xy]D0~~XX67IX#M vPG}j[^?u<&PC>ybux a-0l3C-ԏ[C=]a'H< -Rx4s?dzpXɫ~wǶ%}^-F˸v0fc!ӎ[,ŋSKp}CU#P>Ga,t gًذBeCvDyVn"8? PV4tE]Y aC^ # n’h&rdwcǚOpTV,.ķ%VAX.Vj9"'"+H *]N|`d^lQXҨj9Lzm_\6`ZT1Pm.ͼ͒E41T %.%w Zk^Yr<+ȀJa{Vl!!ceTA9iArM֔ Ue_+DThq>Š- ykSfn=)fFmz^C `5㱽uRkK,u3S q<27#[zZ<`fE'HlewpѣZC[T#vX ],j|xf1 Э%"Ad܉Sgx|4]P Wq-m4ܵ8k+1%lMq${T? 㽽 !~Hګ DXtf)Z0ڡ]}t73>н^ĤZ3B{ݱL^?jsa s ),9+?d0̊rPȶ8.ΎS)q2ɹb*Sepx :IϦ4/ 1J}|y;srb6ވj &*.*1XtІMֿD|ɈVsZFJSC)2h?1D c  )46$A .k`>Y(MqG )U|vkY t 8AnKnF0^J8$}^8Vp߯T ^@9ף/|T3/b#-Ѩ#Uf[#zˀ̥ǟ L\5`so*Kg|a=X *>ob[ Xy"uFf&  ( `j_<0\mչ WEo <>fud}a#ggMeNGۏ6#僎39$l0W)iͼHaK9.ԉGXqhx;r)]S?o8f |$rEC91ݩ퇛^0_HHU t03|DT%jE _9 dU _M_oz=&>8OKZ &9a k(ExH7ѩx=^M("`"1/1c3bwڲm64T~pw|v[ T6CĊ1gC)* r`)'X#IS^wu{t]\V*@H>SeA??E­!RJs# `_𭏙WԛX`ٖ  R.$Ӈ;aq]ܕn:6Nuh遭YrM,іCGj>/Pq}:h23ņimA`DP>Eh$byzsR^Yz~Jb+ z{q@h),fx;_+Te?7kyLK|^& ˅_WSY)|^*[ӈ^+L+xFF*fȈ]Pp{骲O\LB:،\żi/> iv>Nn:<1a[+|OawO?t?u7>Fq`&G_ ee|Q)=5Uš*5\ ‹.i.R88hG_0}4eL9J"Q^e5Ģzu4 &6adBM+S+,tПxu;KtXZyRM/}ld4=V084ħEOWL7yH}Qux?@MrI )w!O?SO $9 sB)?&w2Nr~4윦C:)CL*%I^?'_05/SL_^sBK2KLOѫ>As?O#%/Sa|R *E~`RƯ _):?uJ{/>_?B>'}JS n!6-6o۔onS/:IR<9k]qJ~9,R!?EU/nvS:WJ?Sz)^}VF&oit]!,B|QFWPM`pR'š&}7AZL-uz#}nM (G.vX)n7;epK|E` K}쩧Exv',5WlNAmtPU6q}2ى=pفCjߊX-J C7s H3:nwU Vj?f5>xf;}sպ\޷Y96J쓡̽F}MOHT)pF #0ߤH=;ImM ;wC =M_Nwzpژ;chIdP*.Tj%SaG;A"ð>'C FF E5w9 5,XPPB4|OӰW1]7# ya8anE[!Dk( |H@u|w'T+`ejf"jPʼnpN+x;_ƒ`y͎,j,.#vbl, O^φ,'8d ;G6VɤK4lV{[2gDX#`a.m8ЦQ tiqf*x`Ơ❞F\co8_a l&a5u"'t"L}r1-Xp1hWzP + q?Ihv]!6 R Ň%ޯ ݜ=E67j!f7wLx+˄tYZam^+%aI㾄& R&^v9u{PNC!4 #1苌Y Mк =+ BɄıطLQFK?6 3sKČ0?`n皱LԞX&Zd5YL7A: 6LG_4 (TUƨz 2Aϐ[Ot(,b5:\-5,l$:=ASh0WϛW5EXM%39԰l鱽$-?\$g~LVoU>.#1b1?0x!$kD1|XT ,sDo KQ)u@EikA/?tI3ۉzKVޒ{ƾ dv.zc`FJ+w\vi.?E#,Xw|7(6yJO>zG=w{ ,CQ6 I`S& ><  3TLU@_ܥMUIl[;֍d- O_H.gwH VW0Su .ЫvL>cx 'L}_Ėxuu0 ')AsҰl [Ap^QזsS$ˉeY) ÊaV~Tʹe7ѽA5F|鍝sٚչHF l 吳xA1Xq>k @ێۄ&yX m L&jxBi6e1}1yptXBL{څ$hx nh1)d'k2Q-9ON*DX6v~hyxL(>,B7Ov!GK-><|v$?A-rTpv$N)VRL_XН_Q>1/ꟷ4s<]}}Q78;w]pڟTu;o G(5?iq wꐁ`y}/{uQEncuK# Y/=&20B d`!/pE%@5Xkh<)qduȏ Pb!t;VsfP  O3 y@9fyo7["XRo:y 5r\]p,T*]H݇ 쪸tZn~Ȓ/ÀA}U@c9vQ;#n1cy  K7g0fhtP(˙@Ýضui?!w ?Òqxp ٯbG .kPb0gQ5E0%ޑ/xČGwX;e0f7;sAk 1PADV@(K\Zxbfh,ޭqf^R42P. AdT v3_ v߁@0Pu6#,XDC(84}W$Ft 6-.٘|.Xe .3x@__>#b:}EM>e:‚#a7kΦCd A,_Yis}/U'P4!6bOy ^&?Lss Ǻr;{|:mR-ˬ- tl)̂5]@v,QǒHwIG2Wc|PnMndcxČWk8Yf@sa0ɲWGYqYay_c̻ Wk#lz+-hMd6 `_/ǞZCS޹;[xd9 лJ-h0_@x>MؼۤA߯xk)s*!dE.f˼JVˆ6]ޟoR&?酫a6|UIxP-ie͕ z,\~+:D̞\j"Fm}9uegtxIܲ l],DF n6E ذ<]/Z#بDMg?hdIY4QIH RX)[q`4!f^+wVVnv1r1>[4R9,'3z쪭iEC+qḓ;_8^e'ߕq^F[(0J+Ll4ٷъE(fW~