Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
 
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« This Week On Myspace.... | Main | Welcome to Singapore »

  • Ingreslock Exploit: Alive and Well

There has been a large steady stream of new Trojans coming out of China lately. Now it seems like its starting to look more drastic than that. It all begins with Downloader-Arun. Like most other downloaders, its purpose is to download as many Trojans as possible. This is just how bad it can get:

arun.png
Breakdown of what Downloader-Arun installs on the victim PC.

While Downloader-Arun is installing, it contacts another Chinese site to download sercer.exe onto the victim's PC. Sercer.exe is immediately ran and moved to C:\Program Files\Internet Explorer as SPLOAE.exe.

http://blog.spywareguide.com/upload/2007/08/directory-thumb.png
Sercer.exe has the same file size and MD5 hash as C:\Program Files\Internet Explorer\SPLOAE.exe.

Once SPLOAE.exe is running, it gets information that is stored in SPLOAE.dat.

http://blog.spywareguide.com/upload/2007/08/packetcapture-thumb.PNG
This is the same information that is stored in SPLOAE.dat.

Since the infection is in the Internet Explorer directory, it's probably a good idea to check out what kinds of connections are taking place. Looking closer at the connection you'll see that someone is attempting exploit your computer! You may recognize this type of attack if you were a playboy customer in '98.

http://blog.spywareguide.com/upload/2007/08/ingreslock1524-thumb.PNG
A connection has been made at port 1524. Foul play is sure to follow.

Now would be a good time to check and see what kinds of connections are currently active on the infected PC.

http://blog.spywareguide.com/upload/2007/08/netstat-thumb.png
You can tell if there is a connection to your computer by using the netstat -a -n command.

There is a connection established to the same IP address that was seen during the installation. Taking a closer look at the domain brings you to *dramatic pause* his blog!

http://blog.spywareguide.com/upload/2007/08/hack-thumb.png
The established connection redirects to a blog of questionable safety.

Fortunately for the victim, there is a very easy way to tell if you are being exploited by this threat. If you are infected by this particular threat, there will be an autostarter value called "MrXiaokan".

http://blog.spywareguide.com/upload/2007/08/autostarter-thumb.png
This threat auto starts using the value "Mrxiaokan"

This was just 1 of the files that was installed from the original Trojan Downloader-Arun. Other threats are out there just waiting to be clicked. My advice to you is this: Mind your clicks.

Posted by Chris Mannon on August 28, 2007 12:19 PM |

  • TrackBack

TrackBack URL for this entry:
http://blog.spywareguide.com/mt/mt-tb.cgi/200

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.