[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <000001c3a572$d50adea0$9ec6fea9@whitestar>
From: ge at linuxbox.org (ge)
Subject: irc.trojan.fgt - new variant.
> I guess It's a matter of time before someone hacks in a http server
and makes it send out links like
> http://victim ip/britney.jpg
> Luckily microsoft patches stuff within 2 days, balmer said so so it
must be true ;)
Since the trojan horse really was "britney.jpg", I hope I am not
responding to a joke. :)
They already did. Without a hack to it.
It started on the 26th of last months.
britney.jpg came out.
To remind us all, that trojan hose used one of the latest IE
vulnerabilities to overwrite wmplayer.exe with the trojan horse itself.
After luring the user to a simple .jpeg, that was actually HTML. So that
IE thought it got a 404 - file not found HTML response.
Two days passed, and while we saw mimic, which used the same basic way
to fool a user into clicking on a URL for a picture of a model
celebrity, did not install any files on the PC, it just spammed itself,
and DDoS'd Microsoft by multiple port 80 connections.
Every-day since, one to three new trojan horses came out. Always the
same drill: 1. An angelfire website (mainly),
http://url/pic-big-name.jpg
(I would like to use this opportunity to commend angelfire again on
their amazingly fast and serious abuse-mail correspondence and good
work.)
2. The trojans always spams the same way, using mIRC's DDE server, with
"URL << wow !!" as the spam, or something very similar.
3. The different files are not clones of one another, although some are
quite close to being clones, with minor changes to the file name, etc.
4. the trojans always installs itself by replacing wmplayer.exe. In
later variations it copies itself to a few more locations.
The basic parameters of these trojan horses are the same:
They spam themselves, making sure others would click on that believable
URL, without any weird ".bat" or ".pif" etc. after the ".jpg" in the
file name, and then proceed to _seriously_ cripple, although not
destroy, the user's machine.
The latest "releases" of these trojans are NOT clones.
I believed that the biggest issue with britney.jpg would be copy-cats,
and that is what scared me.
I was wrong.
This mal-ware spreads at incredible speed online, infecting and
destroying an incredible amount of computers (which is reasonable
considering the amount of us who would click on a URL for a super-model
picture........). and then when the URL dies, a new trojan (or two...
even three) are released with the exact same modus operandi.
The trojans have two objectives: one - multiply, and then destroy.
Somewhat of a kamikaze suicide bomber. Lately the boundaries between
"viruses" and other types of... "viruses" like trojan horses and worms
are thinning beyond recognition. In my opinion in any case.
The sites are usually exceeding their allowed bandwidth use of the day
long before they are closed, which comes to show of the enormous
"clicking" people do.
It is my firm belief that all these trojan horses have a common author,
and that he himself maintains his trojan's infectious state by just
releasing more "new" trojan horses to the wild. All just as destructive.
This is the most concentrated assault I have ever seen by a mal-ware
WRITER, vs. just the mal-ware.
Personally, I don't get it, but that's probably just me.
I hope this information helps somebody out there, hopefully the FBI?
This attack may be over - although we are not sure yet, but I doubt we
heard the last of this guy.
Gadi Evron (i.e. ge),
ge@...uxbox.org.
--------
gevron@...vision.net.il -
PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID).
Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741.
The Trojan Horses Research mailing list - http://ecompute.org/th-list
My resume (Hebrew) - http://vapid.reprehensible.net/~ge/resume.rtf
Powered by blists - more mailing lists