Freigeben über


Νέο spamming botnet?

?? te?e?ta?? d??st?µa ß??p? ??t??? ????s? ap? irc bots ta ?p??a ?ata?????? ?a ?????ta? a?t?µat?p???µ??a spam bots. ?e? ??????? a? ß??p??µe p??? ??p??? µe???? d??t?? t?p?? Rustock (https://www.microsoft.com/security/sir/story/default.aspx#!rustock) a??? s?????a ??e? ???e? a?s??t? t?? pa???s?a t??.

????µe ?a? ??µe ???p??, t? de??µa µa? ?p?? ?a de?te ??e? ?aµ??? de??t? “p??stas?a?” Smile. ??ßa?a a?t? s?µßa??e? ??at? s??e??? t?? te?e?ta?e? ?µ??e? a??????? t?? ??d??a ?ste ?a p??spe????? a?e?????ta ap? ta AVs ?st? ?a? p??s?????.

ScreenHunter_12 Nov. 29 11.49

?? pe??s??µe st?? e?t??es? t?? ?a d??µe p?? s?µpe??f??eta? t? d?aß????? µa?!

1. Dns query ??a t? xxxxx.ka3k.com ?p?? ß??s?eta? ? IRC Server µa?

2. S??des? µe user/pass ?a? ?ate??e?a? e?t????

image

?p?? ß??pete µa? ?ate????e? ?a ?ateß?s??µe t? “ngui.exe” ?a? ?a t? ap????e?s??µe ?? “ngdhd.exe” ? ??? d?ad??as?a ???eta? a?t?µat?p???µ??a ?a? ????? t?? ?p??a d???e?? µa? ß?ßa?a.

????? ?at?ße? t? a??e?? µa? e?te?e?ta? ?µesa ?a? ß?ßa?a ?p?? ???e malware p?? s?ßeta? t?? ea?t? t?? f???t??e? t?? e?t??es? t?? se ???e system startup. ??t? ep?t?????eta? µe t?? pa?a??t? t??p?

ScreenHunter_02 Nov. 28 15.08

??µ?????e? ??t? ap? t? C:\Recycler (Recycle Bin Windows XP), ??a subfolder µe ??t? p?? µ????e? µe SID a??? de? e??a?, p??s??te t? R-1-5-21! ????? ??at? ta Security Identifiers (https://support.microsoft.com/kb/243330) ?e?????? µe “S” ?? ??? µe “R”, pa?ap?a??t??? te?????. ?p?s?? t?p??ete? st?? ?d?? f??e?? t? ecleaner.exe ?a? t???? ???e? t?? apa?a?t?t? e???af? st? registry st? pa?a??t? ??e?d? (https://technet.microsoft.com/en-us/library/cc957402.aspx)

ScreenHunter_04 Nov. 28 15.22

St? s????e?a ???p?? t? a??e?? p?? ?at?ß??e t? “ngdhd.exe” ???e? unpack t?? ??d??a t?? st? Twswsp.exe

ScreenHunter_05 Nov. 28 15.30

?a? ß?ßa?a µe t? se??? t?? ???e? t?? a?????e? registry ???µ?se?? ??a ?a e?asfa??se? t?? a?t?µat? e?t??es? se ???e epa?e?????s?.

ScreenHunter_06 Nov. 28 15.31

?s?? af??? t? a??e?? ngui.exe st? virustotal.com ????µe ta pa?a??t? ap?te??sµata

ScreenHunter_13 Nov. 29 12.18

????? ed? ???p?? ????µe 2 ??a a??e?a t? ecleaner.exe (µ??? clean de? ???e?!) & t? twswsp.exe ta ?p??a e?te????ta? se ???e e?????s?. ?? 2? a??e?? fa??eta? p?? e??a? t? p????aµµa ep????????a? µe t? C&C Server ??a pe?a?t??? e?t????.

St? s????e?a a????e? t? ??f? af?? ?ateßa????? a??µa µe???? e?te??s?µa ta ?p??a te???? p?????? aµ?s?? d???e?? ?a? ep?????????? µe ???? web server ?p?? ?ateß????? ta pa?a??t?:

ScreenHunter_07 Nov. 29 10.19

?? ???µa t?? Web Directory /spm/ µ????? p??d?de? t? s??p? ?pa???? t?? (spam). ?d? st?? ??s?a a?t?e? se ???pt???af?µ??? µ??f? email accounts ??a t?? ap?st??? t?? mails.

?p?te af?? ???p?? ????? ?at?ße? ??a ta apa?a?t?ta e??a?e?a ?a? ???µ?se?? ?e????e? ? µa???? ap?st??? µa?.

ScreenHunter_08 Nov. 29 10.36

?a s?µp????s? p?? ??a ap? ta executables p?? ?ateßa??e? ??e? anti-debugging µ??a??sµ?, d??ad? µ???? ß?e? a????t? processes ap? ???st? tools ?p?? procmon, ollydbg, wireshartk etc ta ??e??e? aµ?s??.

????? ??a ?a p????µe µ?a ?a?? ?d?a ??a t?? d??stas? ?a? t? d?asp??? a?t?? t?? e?e??e??? pa?a??t? t?? pa?a??t? e????a:

ScreenHunter_11 Nov. 29 11.28

?d? ape????????ta? ?? 4 ßas???? servers ?a? ? ????? t???. 2 Web Servers ap? t??? ?p????? ?ateßa????? ta malware ?a? 2 IRC C&C Servers.

?a?? s????e?a se ?????, p?? ?a d?a????? a??µa µe???? mails ap? t? Junk Folder µ??! Smile