| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAEFKJBBCIPAKCGNHICFEEBGFAAA.kruse@krusesecurity.dk> From: kruse at krusesecurity.dk (Peter Kruse) Subject: SV: [SPAM] RE: interesting trojan found Hi Todd, >But if it is a rootkit, does it not hide from normal AV scanning? Nope, you'll see it in the systemprocess, but since it's active in memory, you won't be able to end it. The trojan is a RDBot variant (Spybot). Like other variants, from this string, it spreads across local and remote networks. It's uses several exploits to compromise unpactched MS Windows boxs, as well as searches for shares with weak passwords. When executed, it creates a mutex "[rxBot v0.6.5 pk + ftpd]". If another instance of this worm is already running, it will exit. The malware carries a backdoor that allows a malicious user to control the infected host through IRC channels. As stated in the first posting, it droppes a copy of itself to the windows system folder. Nextup it modifies registry with several runas keys under the value "update run msword". This RDbot includes a keylogger, that will log all keyboard activity and save this to a text file. A remote user can collect this information through IRC and possibly gain access to others services. --- Med venlig hilsen // Kind regards Peter Kruse, Voice: (+45) 88136030 Security- and virusanalyst, Cel (+45) 28490532 CSIS ApS Fax (+45) 28176030 http://www.csis.dk E-mail pkr@...s.dk PGP fingerprint 79FD 0648 158E 6B9E 236F CFDA 7C58 64D6 BE83 FA60 Combined Services & Integrated Solutions Gevno Gade 11a 4660 Store Heddinge, Denmark
Powered by blists - more mailing lists