Trojan.Peacomm

5 stars based on 61 reviews

A number of anti-spam websites came under a distributed denial-of-service attack on January 12, Researching further back in time, we find that variants of the same malware family were released in similar fashion in November, December and early January. When Storm Worm runs, it attempts to link up with other infected hosts via peer-to-peer networking. Through this conduit it gets a URL which points to a second-stage win trojan storm bot net, which in turn downloads additional stages onto the infected system.

Those stages are usually named game0. This is the part which is responsible for linking up via the P2P network. The part in front of the equals sign is the peer hash, the part following is the IP address and port.

These peers are contacted to see if they have a particular hash the trojan is looking for. They in turn direct the infected client to other peers which may have the hash, until one is found. In the Storm Worm P2P code, the hash value doesn't actually correspond to a file, it is generated using an algorithm which takes as input the current system time and a random number between 0 and 31, outputting one of 32 possible hashes for any given day. When a peer responds with a search result containing this hash, it returns the searched-for hash, and also provides a "result" hash in the response packet the result hash is 05B3D57C0C90A in the illustration.

This hash is used as a decryption key by the Storm Worm P2P code, in concert with a second decryption key which is hard-coded in the win trojan storm bot net of the trojan itself. Also in the response packet is a single meta-tag named "id". The body of this tag contains an encrypted string which contains win trojan storm bot net URL of the win trojan storm bot net executable. No files are ever transferred between hosts; the meta-tag and the result hash are the only things the trojan needs from the peers in order to find the download site.

The DDoS attack is conducted by game4. It receives the target IP address and attack type by downloading a configuration file from a hard-coded website in the body of the trojan. The configuration file specifies the target by IP address only; the tool has no provisions to resolve DNS names to addresses. In addition to the anti-spam sites we saw being attacked, the configuration file has also been seen containing IP addresses win trojan storm bot net websites associated with the Warezov virus - another spam system, probably operated by a competing spam group.

It seems that this spam group is prone to attack anyone that interferes with its business model, be it anti-spammer win trojan storm bot net spammer, or in some cases, third-party services. For example, one IP address being attacked was capitalcollect. Following is a partial list of IP addresses seen targeted by win trojan storm bot net Storm Worm DDoS component during the time we were monitoring its control mechanism:.

On Jan 30, the spamhaus. However, it soon became clear that it was an unintended target - apparently the Warezov spammer sin an attempt to deflect the DDoS attack, changed the DNS "A" records for some of their domains to point to the spamhaus.

It is worth mentioning that multiple DDoS attacks have occurred in the December and January timeframe, targeted at anti-spam sites and anti-rootkit software developers. An attack was even launched against the personal website of the author of this analysis, in retaliation for research into botnet-controlled pump-and-dump stock spam. These attacks have been determined to be from no fewer than three independent and unrelated botnets.

We see now the spam war is escalating win trojan storm bot net new levels. It could be that the spammers have been emboldened by the successful attack on BlueFrog last year, which shut down a service that was affecting the spammers' ability to conduct their "business.

Enjoyed what you read?

Neosurf bitcoin chart

  • Gaw miners bitcoin talk

    Ethereum mining pool comparison

  • Bitcoin mining bot review

    24032018 wqbitcoin pool mining reddit

Lego mindstorms education nxt software 1.1 download

Binary options trading strategy software

  • Buy ethereum with paypal australia

    Defcon 22 bitcoin chart

  • Dogecoin paper wallet github tutorial

    Asic bitcoin miner ebay official site

  • Buy sell bitcoin wallet

    Best site to buy bitcoins uk

Bitcoin org wallet

36 comments Are there any bitcoin exchanges in the usa

Dogecoin online wallet

From the department of cosmic justice comes this gem, spotted by researchers from Symantec: Once installed, the trojan components are stored in an invisible folder and use strong encryption to keep communications private. The bot can force its host to take instructions through internet relay chat, perform DDoS attacks, and post fraudulent messages to the victim's Facebook account, among other things.

Now, Symantec researchers have uncovered weaknesses in the bot's peer-to-peer functionality that allow rival criminals to remotely steal or plant files on the victim's hard drive.

That means the unknown gang that took the trouble to spread the infection in the first place risks having their botnet stolen from under their noses. Jnanabot's P2P feature is designed to make botnets harder to take down by providing multiple channels of communication.

After sending an infected machine a single GET request, a website can discover all the information needed to upload any file to any location on the host's file system. Attackers can then install a simple backdoor on a user's machine by, for instance, writing a malicious program to a computer's startup directory. Still, infection statistics gathered by Symantec in December are surprising.

They show that about 16 per cent of infections hit Macs. They didn't show any infections on Linux machines. Turner said that Jnanabot attacks on the open source platform weren't able to survive a reboot. The bot was discovered spreading over Facebook posts that planted the following message on infected users' Facebook pages: Once the recipient is infected, his Facebook page carries the same dire warning.

It's not the first time that malware developers have built gaping vulnerabilities into their wares. In September, researcher Billy Rios disclosed a weakness in the Zeus crimeware kit that makes it easy to take over huge networks of infected PCs. Symantec has more about the trojan here , here , and here. Minds Mastering Machines - Call for papers now open. The Register - Independent news and views for the tech community.

Part of Situation Publishing. Join our daily or weekly newsletters, subscribe to a specific section or set News alerts. The Register uses cookies. Brakes slammed on Pentagon's multibillion cloud deal Risky business: You'd better have a plan for tech to go wrong Africa's internet body hit with sexual harassment cover-up claims.

Windows Notepad fixed after 33 years: Now it finally handles Unix, macOS line endings Microsoft reckons devs would like an AI Clippy to help them write code Microsoft vows to bridge phones to PCs, and this time it means it. Give us notch support or … you don't wanna know.

Equifax reveals full horror of that monstrous cyber-heist of its servers Android P to improve users' network privacy Hacking charge dropped against Nova Scotia teen who slurped public records from the web That Drupal bug you were told to patch weeks ago? Cryptominers hope you haven't bothered.

Get on top of reliability with our best practices webinar. Sony reports shortage of cute robot puppies! Predictable senility allows boffins to spot recycled NAND chips Waymo van prang, self-driving cars still suck, AI research jobs, and more Congratulations, we all survived Star Wars day! Now for some security headaches.

Verity Stob Yes, people see straight through male displays of bling they're only after a fling New Monty Python movie to turn old jokes into new royalties Mystery crapper comes a cropper The steaks have never been higher: Swiss Lidl is selling local cannabis.

Attackers can use the same vulnerability to steal files on infected machines. Most read Equifax reveals full horror of that monstrous cyber-heist of its servers Zombie Cambridge Analytica told 'death' can't save it from the law Heir to SMS finally excites carriers, by making Google grovel Microsoft's most popular SQL Server product of all time runs on Linux Admin needed server fast, skipped factory config … then bricked it. More from The Register. Hurry up patching those Oracle bugs: Attackers aren't waiting Honeypots swarmed on within three hours of patch release.

Malware Engine needs, erm, malware protection Stop appreciating the irony and go install the patch now. Umm, Oracle — about that patch?

It might not be very sticky Security researcher says WebLogic fix can be bypassed, posts proof-of-concept. Oracle slurps bot-wrangling security minnow Zenedge Buy price not revealed. Orangeworm malware targets hospitals worldwide Hacking campaign goes after care providers and equipment.

Terix boss thrown in the cooler for TWO years for peddling pirated Oracle firmware, code patches Big Red all smiles after black-market support biz bosses jailed. Security bods liberate EITest malware slaves Miscreants' command and control network traffic sent down sinkhole. Whitepapers Ransomware is Increasing the Risks and Impact to Organizations Ransomware is gaining traction in the criminal community.

Before proceeding we must understand what the definition of the words Certification and Accreditation. Massive backlogs, legacy debt, and scarce resources can hinder digital transformation efforts.

So, how you can overcome these challenges? Sponsored links Get The Register's Headlines in your inbox daily - quick signup! About us Who we are Under the hood Contact us Advertise with us. Sign up to our Newsletters Join our daily or weekly newsletters, subscribe to a specific section or set News alerts Subscribe.