Ingreslock Exploit: Alive and Well

| | Comments (0)

There has been a large steady stream of new Trojans coming out of China lately. Now it seems like its starting to look more drastic than that. It all begins with Downloader-Arun. Like most other downloaders, its purpose is to download as many Trojans as possible. This is just how bad it can get:

arun.png
Breakdown of what Downloader-Arun installs on the victim PC.

While Downloader-Arun is installing, it contacts another Chinese site to download sercer.exe onto the victim's PC. Sercer.exe is immediately ran and moved to C:\Program Files\Internet Explorer as SPLOAE.exe.

http://blog.spywareguide.com/upload/2007/08/directory-thumb.png
Sercer.exe has the same file size and MD5 hash as C:\Program Files\Internet Explorer\SPLOAE.exe.

Once SPLOAE.exe is running, it gets information that is stored in SPLOAE.dat.

http://blog.spywareguide.com/upload/2007/08/packetcapture-thumb.PNG
This is the same information that is stored in SPLOAE.dat.

Since the infection is in the Internet Explorer directory, it's probably a good idea to check out what kinds of connections are taking place. Looking closer at the connection you'll see that someone is attempting exploit your computer! You may recognize this type of attack if you were a playboy customer in '98.

http://blog.spywareguide.com/upload/2007/08/ingreslock1524-thumb.PNG
A connection has been made at port 1524. Foul play is sure to follow.

Now would be a good time to check and see what kinds of connections are currently active on the infected PC.

http://blog.spywareguide.com/upload/2007/08/netstat-thumb.png
You can tell if there is a connection to your computer by using the netstat -a -n command.

There is a connection established to the same IP address that was seen during the installation. Taking a closer look at the domain brings you to *dramatic pause* his blog!

http://blog.spywareguide.com/upload/2007/08/hack-thumb.png
The established connection redirects to a blog of questionable safety.

Fortunately for the victim, there is a very easy way to tell if you are being exploited by this threat. If you are infected by this particular threat, there will be an autostarter value called "MrXiaokan".

http://blog.spywareguide.com/upload/2007/08/autostarter-thumb.png
This threat auto starts using the value "Mrxiaokan"

This was just 1 of the files that was installed from the original Trojan Downloader-Arun. Other threats are out there just waiting to be clicked. My advice to you is this: Mind your clicks.

Leave a comment

About this Entry

This page contains a single entry by Chris Mannon published on August 28, 2007 12:19 PM.

This Week On Myspace.... was the previous entry in this blog.

Welcome to Singapore is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.