Νέο spamming botnet?
?? te?e?ta?? d??st?µa ß??p? ??t??? ????s? ap? irc bots ta ?p??a ?ata?????? ?a ?????ta? a?t?µat?p???µ??a spam bots. ?e? ??????? a? ß??p??µe p??? ??p??? µe???? d??t?? t?p?? Rustock (https://www.microsoft.com/security/sir/story/default.aspx#!rustock) a??? s?????a ??e? ???e? a?s??t? t?? pa???s?a t??.
????µe ?a? ??µe ???p??, t? de??µa µa? ?p?? ?a de?te ??e? ?aµ??? de??t? “p??stas?a?” . ??ßa?a a?t? s?µßa??e? ??at? s??e??? t?? te?e?ta?e? ?µ??e? a??????? t?? ??d??a ?ste ?a p??spe????? a?e?????ta ap? ta AVs ?st? ?a? p??s?????.
?? pe??s??µe st?? e?t??es? t?? ?a d??µe p?? s?µpe??f??eta? t? d?aß????? µa?!
1. Dns query ??a t? xxxxx.ka3k.com ?p?? ß??s?eta? ? IRC Server µa?
2. S??des? µe user/pass ?a? ?ate??e?a? e?t????
?p?? ß??pete µa? ?ate????e? ?a ?ateß?s??µe t? “ngui.exe” ?a? ?a t? ap????e?s??µe ?? “ngdhd.exe” ? ??? d?ad??as?a ???eta? a?t?µat?p???µ??a ?a? ????? t?? ?p??a d???e?? µa? ß?ßa?a.
????? ?at?ße? t? a??e?? µa? e?te?e?ta? ?µesa ?a? ß?ßa?a ?p?? ???e malware p?? s?ßeta? t?? ea?t? t?? f???t??e? t?? e?t??es? t?? se ???e system startup. ??t? ep?t?????eta? µe t?? pa?a??t? t??p?
??µ?????e? ??t? ap? t? C:\Recycler (Recycle Bin Windows XP), ??a subfolder µe ??t? p?? µ????e? µe SID a??? de? e??a?, p??s??te t? R-1-5-21! ????? ??at? ta Security Identifiers (https://support.microsoft.com/kb/243330) ?e?????? µe “S” ?? ??? µe “R”, pa?ap?a??t??? te?????. ?p?s?? t?p??ete? st?? ?d?? f??e?? t? ecleaner.exe ?a? t???? ???e? t?? apa?a?t?t? e???af? st? registry st? pa?a??t? ??e?d? (https://technet.microsoft.com/en-us/library/cc957402.aspx)
St? s????e?a ???p?? t? a??e?? p?? ?at?ß??e t? “ngdhd.exe” ???e? unpack t?? ??d??a t?? st? Twswsp.exe
?a? ß?ßa?a µe t? se??? t?? ???e? t?? a?????e? registry ???µ?se?? ??a ?a e?asfa??se? t?? a?t?µat? e?t??es? se ???e epa?e?????s?.
?s?? af??? t? a??e?? ngui.exe st? virustotal.com ????µe ta pa?a??t? ap?te??sµata
????? ed? ???p?? ????µe 2 ??a a??e?a t? ecleaner.exe (µ??? clean de? ???e?!) & t? twswsp.exe ta ?p??a e?te????ta? se ???e e?????s?. ?? 2? a??e?? fa??eta? p?? e??a? t? p????aµµa ep????????a? µe t? C&C Server ??a pe?a?t??? e?t????.
St? s????e?a a????e? t? ??f? af?? ?ateßa????? a??µa µe???? e?te??s?µa ta ?p??a te???? p?????? aµ?s?? d???e?? ?a? ep?????????? µe ???? web server ?p?? ?ateß????? ta pa?a??t?:
?? ???µa t?? Web Directory /spm/ µ????? p??d?de? t? s??p? ?pa???? t?? (spam). ?d? st?? ??s?a a?t?e? se ???pt???af?µ??? µ??f? email accounts ??a t?? ap?st??? t?? mails.
?p?te af?? ???p?? ????? ?at?ße? ??a ta apa?a?t?ta e??a?e?a ?a? ???µ?se?? ?e????e? ? µa???? ap?st??? µa?.
?a s?µp????s? p?? ??a ap? ta executables p?? ?ateßa??e? ??e? anti-debugging µ??a??sµ?, d??ad? µ???? ß?e? a????t? processes ap? ???st? tools ?p?? procmon, ollydbg, wireshartk etc ta ??e??e? aµ?s??.
????? ??a ?a p????µe µ?a ?a?? ?d?a ??a t?? d??stas? ?a? t? d?asp??? a?t?? t?? e?e??e??? pa?a??t? t?? pa?a??t? e????a:
?d? ape????????ta? ?? 4 ßas???? servers ?a? ? ????? t???. 2 Web Servers ap? t??? ?p????? ?ateßa????? ta malware ?a? 2 IRC C&C Servers.
?a?? s????e?a se ?????, p?? ?a d?a????? a??µa µe???? mails ap? t? Junk Folder µ??!