John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| New rootkit in the wild
»www.nthworld.org/archives/2006/0···th_w.htm
On March 20th, we here at Sana labs discovered an in-the-wild rootkit and Trojan that has been actively infecting machines since about the 16th of March. This kernel level rootkit was designed to stealth a Trojan that has some pretty scary capabilities. First, the Trojan can survive reboot and does not run as a separate process. Second, it can discover passwords used previously on a machine, so it does not need to log keystrokes. And third, since the Trojan is hidden by the rootkit, end users cannot see the Trojan on their disk.
This Trojan and rootkit was found during the investigation of an in-the-wild worm, named Win32.Alcra. This worm, if not stopped, attempted to contact various websites and download additional payloads. On one of these websites was the installer for this rootkit and Trojan. Once these components were silently installed on a machine, the Trojan invisibly starts communicating to yet another web server located in Russia. This web server acts as the repository for the stolen usernames and passwords.
One of the sites is still actively infecting machines. It attempts to download several pieces of Spyware, Adware, and Trojans, in addition to the rootkit. The rootkit has two pieces: the first piece is a device driver named 'zopenssld.sys', and a DLL named 'zopenssl.dll'. The device driver appears to cloak any file named 'zopenssld.sys' or 'zopenssl.dll' regardless of where they reside, though the malicious versions are located in the System32 folder.
While the DLL was invisible on the file system, it is visible as an injected DLL in many running processes. Since zopenssl.dll registers itself as a Winlogon.exe extension and does not run as a process, most users would never see it, and it can survive even in safe mode.
The Trojan appears not to be active at all times, but it does wake up and start communicating when it sees a user browsing to a website that requires authentication. To view it in action, a virtual machine was infected with the rootkit and Trojan, and then the user browsed to »bankofamerica.com, and entered a fake username and password. All of the network traffic was recorded, and after ending the web browser session, the Trojan communication became apparent.
After further investigation, it was determined that this Malware was sending information to a web server located in Russia. Ironically, this web server was not secured, and any user browsing the site could view the information that was being stolen.
According to the dates on this web server, it has been active since at least the 16th of March. The oldest stolen data observed was from the 19th of March. Based on the sheer amount of data that has been stolen, the infection has been more than tripling in size every day.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
HMS1
join:2006-01-14
Austin, TX
| Very bad, per that description. Of course, once there is any infection on the root account, there's no limit to what else can be installed.
According to the article this is spread by "an in-the-wild worm, named Win32.Alcra". A quick Google indicates the vector is probably a virus rather than a worm - in the correct terminology, an infection that requires user interaction rather than spreading autonomously.
Some references:
"There is virus Win32.Alcra.F that has name RemoveIT Pro 2.4 SE.zip and it spreads it self via sharing networks. So please beware if you downloading this zip file or some other zip file via sharing network and keep your antivirus up to date." ( »www.incodesolutions.com/index2.html )
One variant is known as "winfixer" (»www.informationsarchiv.net/foren···458.html )
A Zone Labs page about Win32.Alcra is listed in the Google results but unavailable from a search on ZL or from the Google cache.
This is the most informative page I found: »www3.ca.com/securityadvisor/viru···id=43300 |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
1 edit | reply to John2g
Sorry This is Different |
|
lawrence171
Evilly Yours - Evilness
join:2001-12-24
Canada | reply to John2g
Rootkits and so call DRM protection for games. I wonder which is a by-product of which.
--
What I used to be I no longer am... God, why can't you freeze time for my sake? |
|
EGeezer
Freezin Season
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
| reply to John2g
Re: New rootkit in the wild
Interesting that when I did a Google search on Rootkit.hearse (exact phrase), got no hits. However, using Mamma.com and Dogpile.com (Exact phrase search) I got several relevant results.
After seeing Bob Rankin's Tourbus site dropped from Google's search rankings I'm less confident of the thoroughness of their engine. As much as I have liked Google, they're beginning to show deficiencies that are pushing me to use other engines.
--
Insert catchy sig line here |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
1 edit | reply to John2g
It is part of the Goldun family of trojans/rootkits. |
|
GoogleAlert
@gigabytenet.com
| reply to EGeezer
quote:
EGeezer said : As much as I have liked Google, they're beginning to show deficiencies that are pushing me to use other engines.
Wait until you see how spammers are exploiting Google for ranking using sites like BBR.
The more a site attempts to restrict/control the flow of data the more vulnerable they are. |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
WA, USA
 ·WebBand
1 edit | said by GoogleAlert :
The more a site attempts to restrict/control the flow of data the more vulnerable they are.
Wrong.
The more they try, the bigger target.
But not more vulnerable out of hand.
They know the more they try and resist and also teach others to resist, the more risk they take on, and plan for it.
Unless they are complete fools.
Well, unless you're the US Gov't..they talk big and deliver less. (google .mil sites, you'll see, DOD forgets about google a lot, esp. it's cache)
Search engines, lots is going on that's new, ever see »www.kartoo.com ?
Oddly, the more the 'Net evolves, the more I retreat into it's recesses..Gopherspace anyone? 
-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein |
|
SpannerITWks
Premium
join:2005-04-22
| reply to John2g
Naughty rootkits/stealth/trojans etc, this one sounds very clever indeed ! I thought that they would need to get more tricky though, and it'll be interesting to see what other stuff pops up, or not if we can't see them lol. Got 2 love em though for ingenious,nussnuss !
EGeezer
Yes you're right, i've also noticed a lot of stuff appears to be missing from searches, and also gone walkies too ?
caffeinator
Don't mention DOD/MIL etc to me lol ! Thanx 4 the kartoo link, didn't know about that one, and there's a Non SWF version too.
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks/SpannerITWks |
|
Shadye
Premium
join:2004-10-21
Fallbrook, CA | reply to John2g
Second, it can discover passwords used previously on a machine, so it does not need to log keystrokes. I don't see how this is possible. This ruins the entire story's credibility. |
|
y2k1100
join:2006-03-23
99999 | can this rootkit type trojan cause damage even running as a restrictive user mode? |
|
y2k1100
join:2006-03-23
99999 | how can one protect from this evil nasty stuff? wil lrunning as restricted user help? |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| said by y2k1100  :how can one protect from this evil nasty stuff? wil lrunning as restricted user help? If the trojans author had a brain no it wont. It would just run under the user account and capture just that users information. Easyer to detect and remove but just as damageign till you do
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channel
open source dns server for *nix and windows »powerdns.com |
|
SpannerITWks
Premium
join:2005-04-22
| reply to y2k1100
Running in Non admin " can " be safer in many ways, but i certainly wouldn't rely on 100% security even then, especially with Stealthy stuff !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks/SpannerITWks |
|
y2k1100
join:2006-03-23
99999 | doe sit rely on any services so i can disable those services on what the trojan depends on? |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England | The best protection is to use an AntiTrojan that will detect and remove any rootkit, whether it is user mode or kernel mode.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to y2k1100
said by y2k1100 :doe sit rely on any services so i can disable those services on what the trojan depends on? Best deffense done realy on any programs exclusivly or dissabling services. When you rely on some app or shuting down servicex to protect thats when you get infected by something not detected or stoped by doing so.
In other words stay away from risky web sites dont open unknown files in emails etc.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channel
open source dns server for *nix and windows »powerdns.com |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
1 edit | reply to John2g
John2g , how to delete passwords used previously on a machine for each category? About IE browser it is understandable, but how about other browsers? |
|
