Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« The 30 Second Phish | Main | The Latest Facebook Chain Letter »

  • RoBoDog...a New Trick

There are several techniques used by malware coders to infiltrate a seemingly secure network. I recently saw an interesting new way for attackers to potentially cause massive amounts of damage to networked computers. It begins like most of these attacks begin…One person downloading something they shouldn’t.

The person responsible for the infection will not likely know that they are infected. After downloading an executable from a Chinese site (in the case of the example I will be using in this blog) and subsequently running said executable, it is deleted from the system. Before it is deleted it drops several files in the system32 directory as well as a rootkit in the temp directory of the infected PC.

http://blog.spywareguide.com/upload/2008/03/sys32-thumb.PNG


These files are responsible for sending ARP requests across the network in order to map the infected LAN.


http://blog.spywareguide.com/upload/2008/03/dat-thumb.PNG


The dat file is used to store the phone home URLs this infection tries to call to on this and any other machine it can infect.


As you can see here, the infection monitors the download status of the malware files. In order to get away with this level of treachery, the attacker has a rootkit and a bot installed in a temp directory.


http://blog.spywareguide.com/upload/2008/03/robo-thumb.PNG


This rootkit creates a service called PciHardDisk. This is probably to discourage any curious parties from deleting it.


The innocent looking robopup executable directly above the rootkit is actually ran whenever certain processes attempt to run. The attacker accomplishes this through a very unique way that is likely to be used more frequently in the future. Within the Windows API, there is a place in the registry called the Image File Execution Options. The purpose of this location is legitimate, but also has malicious applications. It is possible to add a filename (for example: notepad.exe) in this area in the registry, set it as a debugger to another application (for example: bad.exe). If this happens, then every time the user attempts to run notepad.exe, the OS will run bad.exe instead.


http://blog.spywareguide.com/upload/2008/03/IFEO-thumb.PNG


The attacker manipulates the registry so that a select group of processes will run the robopup executable previously seen in the temp directory.


Network administrators should watch their server logs for any kind of unauthorized activity trying to look for directories to browse. It should appear to look something like this:

OPTIONS / HTTP/1.1
translate: f
User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600

Facetime Security Labs detects this threat as RoBoDog.

  • TrackBack

TrackBack URL for this entry:
http://blog.spywareguide.com/mt/mt-tb.cgi/286

Listed below are links to weblogs that reference RoBoDog...a New Trick:

» Teen rape. from Teen rape.
Teen rape. [Read More]


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.