Episodes
Thursday Apr 15, 2010
New P2P Trojan Discovered
Thursday Apr 15, 2010
Thursday Apr 15, 2010
Once launched, the malware will install itself in the WINDOWS directory where it installs a registry key to ensure that it loads on startup.
Security researchers at Arbor Networks researchers have discovered a new botnet that compromises machines infected with the Heloag Trojan that is specifically designed to manage the downloading and installation of a spectrum of additional malicious software. “Upon detailed inspection, this bot does not appear to have any DDoS capabilities built into it, it appears to only manage downloads on the infected PC,” say researcher Jose Nazario. The way it works is that the trojan is downloaded from either 7zsm.com or elwm.net. Once on an infected PC, it then install itself in the WINDOWS directory. Names observed include:- C:\WINDOWS\csrse.exe
- C:\WINDOWS\ThunderUpdate.exe
- C:\WINDOWS\conme.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon = [filename] (Where [filename] refers to the installed filename from above)It then makes a connection to the C&C server for the botnet, often on TCP port 8090, to register itself and await commands. Traffic is usually preceded by a single byte to indicate the message purpose:
- 01 – initial hello
- 02 – keep alive, idle message
- 03 – download the named file
- 04 – connect to other peers
- 05 – send hostname to server
- 06 – clear
- 07 – close connection
Version: 20240320
Comments (0)
To leave or reply to comments, please download free Podbean or
No Comments
To leave or reply to comments,
please download free Podbean App.