Torpig , also known as Sinowal or Anserin mainly spread together with Mebroot rootkit , is a type of botnet spread by a variety of Trojan horse computing trojan horses which can affect computers that use Microsoft Windows . Torpig circumvents anti virus applications through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man in the browser attacks. As of November 2008 it has been responsible for stealing the details of about 500,000 online bank accounts and credit and debit cards and is described as one of the most advanced pieces of crimeware ever created . ref http news.bbc.co.uk 1 hi technology 7701227.stm BBC News Trojan virus steals bank info ref In early 2009, a team of security researchers from University of California, Santa Barbara took control of the botnet for ten days. During that time, they extracted an unprecedented amount over 70 Gigabyte GB of stolen data and redirected 1.2 million IPs on to their private command and control server. The report ref http www.cs.ucsb.edu seclab projects torpig index.html UCSB Torpig report ref goes into great detail about how the botnet operates. See also mebroot Drive by download Phishing Man in the browser Conficker a worm that also uses domain name generation or domain flux Timeline of computer viruses and worms References Reflist External links http www.rsa.com blog blog entry.aspx?id 1378 One Sinowal Trojan One Gang Hundreds of Thousands of Compromised Accounts by RSA FraudAction Research Lab, October 2008 http www.windowssecrets.com 2008 11 20 03 Dont be a victim of Sinowal the super Trojan Don t be a victim of Sinowal, the super Trojan by Woody Leonhard, WindowsSecrets.com, November 2008 http windowssecrets.com 2008 11 26 03 Antivirus tools try to remove Sinowal Mebroot Antivirus tools try to remove Sinowal Mebroot ... more details
rootkit used in attacks on the US Department of Defense in 2006. ref name fserror1 As the group ... the Chinese hacker WHG, also known as fig as one of the developers of the GinWui rootkit. WHG is an expert ... association websites in China. ref name autogenerated1 GinWui Rootkit Wicked Rose is the creator of the GinWui rootkit. His code and support posts are on Chinese hacker message boards, and was also available from the NCPH blog. ref name fserror1 Security researchers discovered the rootkit ... in an attack against a Department of Defense entity. They used two different versions of the rootkit ... featured backdoor with rootkit characteristics. It is distributed through Word documents. The backdoor ... more details
HBGary e mails indicate it was planning a new breed of rootkit url http www.networkworld.com news ... www.rootkit.com rootkit.com , a popular site devoted to the subject of rootkit s. Rootkit.com was compromised ... news Rootkit com Compromise Poses Risks to Other Sites 184099.shtml Rootkit.com Compromise ... 0201786958. Articles A REAL NT Rootkit, patching the NT Kernel , Phrack magazine, 1999 ref cite web ... An Exercise in Advanced Rootkit Design , BlackHat 2005 2006 USA Europe Asia ref cite web author ... more details
as the Sony rootkit . Security researchers beginning with Mark Russinovich in October 2005 have described the program as functionally identical to a rootkit a software program used by computer hackers ... in the manner of a rootkit a common computer criminal s toolkit for hiding their malicious activities ... a trojan horse computing trojan horse and a rootkit ref cite web url http www3.ca.com securityadvisor ... BMG application. This rootkit driver modifies what information is visible to the operating system in order to cloak the Sony BMG software. This is commonly referred to as rootkit technology. Furthermore, the rootkit does not only affect XCP.Sony.Rootkit s files. This rootkit hides every file ... that malware? His answer is that users lose... A dangerous and damaging rootkit gets introduced into the wild ... Rootkit first Bruce last Schneier 2005 11 17 publisher Wired ref Impact of XCP Beginning as early ... without the rootkit also phone home to the same address that rootkit affected discs use, so infection ... Foundation s Fred von Lohmann also heavily criticised the XCP EULA , calling it the legalese rootkit. ref cite web url http www.eff.org deeplinks 2005 11 now legalese rootkit sony bmgs eula title Now the Legalese Rootkit Sony BMG s EULA date 2005 11 09 first Fred last von Lohmann ref One of the primary ... off autorun prevented the rootkit installation and thus invalidated the DRM scheme. The second problem ... business division asked, Most people, I think, don t even know what a rootkit is, so why should they care ... is designed to protect our CDs from unauthorized copying and ripping and Rootkit technology ... the rootkit component from their computers. An uninstaller for XCP Aurora is available from the Sony ... more details
installed rootkit software on any Microsoft Windows machine upon insertion of the disc. In addition ... insecure features of the rootkit software. Though Sony refused to release a list of the affected ... Are You Affected By Sony BMG s Rootkit? November 9, 2005 from Electronic Frontier Foundation ... more details
Main Extended Copy Protection The following Compact Disc s sold by Sony BMG Music Entertainment Sony BMG were shipped with the computer software known as Extended Copy Protection XCP . ref name myce http www.myce.com news Sony officially lists 52 XCP infected CDs faces a loss of sales 11149 Sony officially lists 52 XCP infected CDs & faces a loss of sales ref As a result, any Microsoft Windows computer that has been used to play these CDs is likely to have had XCP installed. This can cause a number of serious computer security security problems. Several security software vendors, including Microsoft , regard XCP as a Trojan horse computing trojan horse , spyware , or rootkit . ref http www.eweek.com c a Security Microsoft to Zap Sony DRM Rootkit Microsoft to Zap Sony DRM Rootkit ref Mac OS X systems used to play these CDs may have been affected with a similar program, MediaMax CD 3 MediaMax . ref http www.cse.umich.edu jhalderm pub cd3 Analysis of the MediaMax CD3 Copy Prevention System ref Album list 12 Songs Neil Diamond album 12 Songs by Neil Diamond At This Time by Burt Bacharach The Best of Shel Silverstein by Shel Silverstein B in the Mix The Remixes by Britney Spears Bob Brookmeyer and Friends Bob Brookmeyer & Friends by Bob Brookmeyer The Body Acoustic by Cyndi Lauper Broken Valley by Life of Agony Cautivo by Chayanne Complicated Nivea album Complicated by Nivea Hamilton Nivea The Dead 60s album The Dead 60s by The Dead 60s Dreamin My Dreams Patty Loveless album Dreamin My Dreams by Patty Loveless Drum Suite by Art Blakey The Essential Dion by Dion DiMucci Dion The Essential Pete Seeger by Pete Seeger Faso Latido by A Static Lullaby Foggy Mountain Jamboree by Foggy Mountain Boys Flatt & Scruggs Friendship Ray Charles album Friendship by Ray Charles Get Right with the Man by Van Zant Goldon by Elkland band Elkland The Great American Songbook by Billie Holiday The Great American Songbook by Frank Sinatra The Great American Songbook by Louis Armstrong Healthy i ... more details
businesscenter article 145703 SMM based rootkit http www.msuiche.net 2008 08 06 smm rootkit limitations and how to defeat it SMM Rootkit limitations. and how to defeat it Category X86 operating modes ... more details
infections Platinum Malware Treatment Award ahead of Avast and Kaspersky 100 4.44 11 01 2008 anti rootkit tests Silver Anti Rootkit Protection Award 5 of 8 4.44 03 20 2008 detection of polymorphic viruses ... more details
Copy Protection , a controversial feature that automatically installed rootkit software on any Microsoft ... exposed the computer to malicious attacks that exploited insecure features of the rootkit software ... https www.eff.org deeplinks 2005 11 are you infected sony bmgs rootkit title Are You Affected By Sony BMG s Rootkit? date date November 8, 2005 mdy publisher Electronic Frontier Foundation ref Chart ... more details
No footnotes date April 2009 ProRat is a Microsoft Windows based Backdoor computing backdoor trojan horse computing trojan horse , more commonly known as a RAT Remote administration software Remote Administration Tool . As with other trojan horses it uses a Client computing client and Server computing server . ProRat opens a port on the computer which allows the client to perform numerous operations on the server the machine being controlled . ProRat is available in a free version, and a paid version. In the free version, ProRat cannot connect to users over wide area networks WANs , only over LANs Local Area Networks . ProRat is known for its server to be almost impossible to remove without up to date antivirus software. Features ProRat allows many malicious actions on the victim s machine. Some of its abilities include Logging keystrokes Stealing passwords Full control over files Drive formatting Open close CD tray Hide taskbar, desktop, and start button Writing on screen Movement of cursor Take screenshots View system information View webcam Download & run files Password Protect your binded server from being used by anyone else Infection Method ProRat has a server creator with features that allow it to be undetected by antivirus and firewall software, and also allow it to stealthily run in the background. The software runs completely including rootkit in Windows 2000 XP, and such features include killing security software, removing and disabling system restore points, and displaying a fake error message to mislead the victims. It is often bound with other file types, such as image files, and when the image file is viewed, the server is installed in the background, undetected if no antivirus software has been installed. http www.symantec.com avcenter venc data backdoor.prorat.html Symantec Security Response See also Trojan Horse Computing Trojan Backdoor computing Backdoor remote administration software Category Trojan horses fr Prorat nl ProRat pt ProRat ... more details
. ref Blunden, Bill. The Rootkit Arsenal Escape and Evasion in the Dark Corners of the System. 1st ... enclosure again with the affected drive. Some rootkit s hide in the HPA to avoid being detected by anti rootkit and antivirus software. ref Blunden, Bill. The Rootkit Arsenal Escape and Evasion ... more details
Multiple issues cleanup December 2008 notability March 2010 primarysources July 2010 orphan April 2012 Infobox software name McAfee Stinger logo File Mcafeestingericon.gif 32px screenshot File Mcafeestinger.png 300px caption developer Avert Labs McAfee released latest release version v10.2.0.532 latest release date release date 2012 03 06 operating system Microsoft Windows genre Antivirus license Proprietary software Proprietary Freeware website http vil.nai.com vil stinger default.aspx McAfee Labs Stinger McAfee Stinger is a small Technical support unsupported frequently updated on demand virus scanner designed to remove specific computer virus viruses . It is not designed as a general purpose anti virus program, but as a tool to assist in dealing with infected systems. It uses current technology and easily fits on a USB drive. It detects around 3,000 viruses, trojans and variants, including rootkit s, a number that increases as threats are added. ref cite web url http vil.nai.com vil stinger default.aspx title McAfee Labs Stinger accessdate 2011 01 27 ref Since 2010 Stinger has specifically targeted fake alert threats, a form of Scareware . ref cite web url http www.mytechguide.org 2010 03 24 new mcafee labs stinger helps remove fakealert threats title New McAfee Labs Stinger Helps Remove FakeAlert Threats accessdate 2010 08 08 ref External links http vil.nai.com vil stinger Download site with instructions and the current list of threats covered References Reflist Category Windows only freeware Category Spyware removal Category Windows software Category Antivirus software software stub ... more details
A supply chain attack is a cryptographic attack where a product, typically a device that performs encryption or secure transactions, is tampered with during manufacture or while it is still in the supply chain by persons with physical access . The tampering may, for example, install a rootkit or hardware based spying components. Description In October 2008, Dr Joel Brenner of Office of the National Counterintelligence Executive National Counterintelligence Executive warned that Chip and PIN credit card readers used at point of sale in Europe had been tampered with either where they were manufactured or while in transit to financial institutions. ref cite web url http www.theregister.co.uk 2008 10 10 organized crime doctors chip and pin machines author Austin Modine title Organized crime tampers with European card swipe devices date 2008 10 10 accessdate 2009 04 18 publisher The Register ref Credit card information intercepted by the rogue devices was being relayed back to criminals in Pakistan and China via the mobile phone network. According to MasterCard , the easiest way to identify devices that have been tampered with is to weigh them, as the rogue devices weigh convert 4 oz g more than the authentic ones because of the addition of hardware based spy components. ref cite news author Henry Samuel title Chip and pin scam has netted millions from British shoppers url http www.telegraph.co.uk news newstopics politics lawandorder 3173346 Chip and pin scam has netted millions from British shoppers.html accessdate 2008 10 13 date 2008 10 10 publisher The Daily Telegraph The Telegraph Dead link date October 2010 bot H3llBot ref ref cite news url http online.wsj.com article SB122366999999723871.html title Fraud Ring Funnels Data From Cards to Pakistan author Siobhan Gorman publisher Wall Street Journal date 2008 10 11 accessdate 2008 10 13 ref References reflist Category Cryptographic attacks Category Computer security Category Electronic commerce crypto stub ... more details
multiple issues notability January 2010 refimprove January 2010 orphan May 2010 Lost Door is the Unique Tunisian backdoor computing backdoor trojan horse computing trojan horse family ref cite web url http www.techmantras.com content lost door 32 rat accessdate 2010 12 28 title Lost Door 3.2 The RAT TechMantras ref of more than 10 variants which can infect Windows operating system s from Windows 95 95 to Windows 7 7 . It was created by OussamiO and built using Visual Basic . It uses the typical server, server builder, and client backdoor program configuration to allow a remote user, who uses client, to execute arbitrary code on the compromised computer which runs the server whose behavior can be controlled by the server editor . The server component 75,053 bytes when running, connects to a predefined IP address on Transmission Control Protocol TCP port 2185, awaiting commands from the remote user who uses the client component can execute arbitrary code at will on the compromised computer. Lost Door allows many actions on another person s computer these can be malicious and can be taken without the computer owner s knowledge. Infection Method Lost Door has a server creator with features that may allow it to evade detection by some antivirus and Firewall computing firewall software. The software only runs completely including rootkit in Windows XP Windows 2000 2000 . Such features include disabling security software, removing and disabling system restore points, and displaying a fake error message to mislead the victim. See also Trojan Horse Computing Trojan Backdoor computing Backdoor Remote Administration Tool References reflist External links http www.lost door.com Official website http www.checkpoint.com defense advisories public 2009 cpai 30 Mar.html ChekPoint http www.megasecurity.org trojans l lostdoor Lostdoor all.html Megasecurity Category Trojan horses Category Remote administration software ... more details
merge to Norton Insight date January 2012 refimprove date September 2011 Infobox software name Norton Internet Security screenshot caption Power Eraser, part of Norton Recovery Tools main screen developer Symantec Symantec Corporation Norton Power Eraser is a small Portable Executable portable executable , using Norton Insight in the cloud application ratings to scan the system. It checks in which list the application is. If it s in the list of trusted applications, it leaves it on the system. If it s in the list of bad applications, it marks it for deletion. If it s unknown and not in any list, it reports it as suspicious, but does not mark it for removal. Instead it recommends a remote scan , which will upload the file to Symantec s servers to check it with virus definitions. Effectivness Power Eraser is very aggressive ref http security.symantec.com nbrt npe.aspx?lcid 1033 ref to unknown threats, since they won t be whitelist ed and will be marked for removal or sent for analysis. The tool also features rootkit scanning, which requires system restart. Threat removal is also performed after restart, on the next boot, to avoid the self protection of virus es and Trojan horse computing trojans . Norton Power Eraser has an issue where it identifies Photoshop as a threat. However, the only issue the program says is that there is a problem with the shortcut thinking that you are simply fixing a deadlink shortcut, Norton Power Eraser removes the program and saved files. If you discover missing programs after running Norton Power Eraser, you can run Norton Power Eraser ref http security.symantec.com nbrt npe.aspx ref to review past repair sessions and undo them. References Reflist Category Symantec software Category Antivirus software Category Proprietary software ... more details
Blue Pill is the codename for a rootkit based on x86 virtualization . Blue Pill originally required AMD V Pacifica virtualization support, but was later ported to support Intel VT x Vanderpool as well. It was designed by Joanna Rutkowska and originally demonstrated at the Black Hat Briefings on August 3, 2006, with a reference implementation for the Microsoft Windows Vista kernel. Overview The Blue Pill concept is to trap a running instance of the operating system by starting a thin hypervisor and virtualizing the rest of the machine under it. The previous operating system would still maintain its existing references to all devices and files, but nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted and a fake response sent by the hypervisor. Joanna Rutkowska claims that, since any detection program could be fooled by the hypervisor, such a system could be 100 undetectable . Since AMD virtualization is seamless by design, a virtualized guest is not supposed to be able to query whether it is a guest or not. Therefore, the only way Blue Pill could be detected is if the virtualization implementation were not functioning as specified. ref http www.eweek.com article2 0,1895,1983037,00.asp Blue Pill Prototype Creates 100 Undetectable Malware , Ryan Naraine, eWeek.com ref This assessment, repeated in numerous press articles, is disputed AMD issued a statement dismissing the claim of full undetectability. ref http securitywatch.eweek.com rootkits faceoff amd vs joanna rutkowsk.html Faceoff AMD vs. Joanna Rutkowska , eWeek.com ref Some other security researchers and journalists also dismissed the concept as implausible. ref http www.virtualization.info 2006 08 debunking blue pill myth.html Debunking Blue Pill Myth , virtualization.info ref Virtualization could be detected by a timing attack relying on external sources of time ... their rootkit detector software at that year s Black Hat conference, ref http blogs.zdnet.com security ... more details
, Rootkit , SDT Restore and more Change the server component s executable name, installation ... Rootkit obscures infection of another computer Plugins based Server 30 KB Packed Different Installation ... more details
2008 04 24 publisher Darkreading.com author Kelly Jackson Higgins ref Rootkit Another action the Storm Worm takes is to install the rootkit Win32.agent.dh. ref name ZDN Symantec pointed out that flawed rootkit code voids some of the Storm Worm author s plans. Later variants, starting around July 2007, loaded the rootkit component by patching existing Windows drivers such as tcpip.sys and cdrom.sys with a stub of code that loads the rootkit driver module without requiring it to have an entry ... detection system offers some protection from the rootkit, as it may warn that the Windows process ... more details
ref Cite web last Sacco first Anibal coauthors Alfredo Ort ga title Deactivate the Rootkit work Exploiting ... enhanced rootkit that can bypass all chipset or installation restrictions and reutilize many existing ... last Sacco first Anibal coauthors Alfredo Ort ga title Deactivate the Rootkit work Black Hat Briefings accessdate 2009 08 06 url http www.coresecurity.com content Deactivate the Rootkit ref Absolute ... downplays BIOS rootkit claims work ZDNet accessdate 2009 08 20 url http blogs.zdnet.com security ?p ... Anibal coauthors Alfredo Ort ga title Deactivate the Rootkit work Core Security Technologies accessdate ... Deactivate the Rootkit ref Company The manufacturing company is also called LoJack NYSE LOJN ... more details
Rootkit, Web Shield, Security Toolbar, Firewall, Anti Spam, Identity Protection and System Tools protection ... Spyware, LinkScanner, Anti Rootkit, Web Shield, Security Toolbar and Firewall protection components ... been merged into AVG Anti Virus Free Edition AVG Anti Rootkit was a free anti Rootkit program that was discontinued ..., Anti Rootkit, Web Shield, and Security Toolbar protection components. AVG Search a search engine ... as the commercial product however, it lacked anti rootkit protection until 2010. The older 7.5 Free ... s, but cannot scan for rootkit like activity. The 8.5 version of AVG Anti Virus Free Edition version lacks any anti rootkit capability. While there is no official protection for files from messaging ..., excluding AVG Anti Rootkit Free Edition now discontinued , are compatible with the 64 bit edition ... more details
, Russinovich discovered the Sony rootkit in Sony DRM products. Its function was to prevent users from copying their media. ref name Sony Affidavit In 2006, Russinovich discovered a rootkit in a product of security software company Symantec . Symantec directly removed the rootkit. ref http www.zdnet.com blog spyware symantec confesses to using rootkit technology 747 ref ref http securityresponse.symantec.com ... and digital rights management gone too far.aspx Original Article on Sony s rootkit http blogs.technet.com ... more details
things from system rootkit behaviour, based on FU Rootkit accessing systems hidden by a firewall ... and Back Orifice 2000 are widely regarded as malware , tools intended to be used as a combined rootkit ... more details
in the Windows operating system. Instant messaging rootkit In October November 2005, Boyd discovered what is considered to be the first known instance of a rootkit being distributed via instant ... 0,1895,1888714,00.asp AIM Rootkit Attack Traced to Middle East Bot generated title ref Over a period ... more details
questioned about Sony s controversial use of a rootkit that acts as spyware and malware that led to the 2005 ..., Hesse said, Most people, I think, don t even know what a rootkit is, so why should they care about it? ref http www.theregister.co.uk 2005 11 09 sony drm who cares Sony digital boss rootkit ignorance ... a sonypres.htm Sony President Defends Rootkit http www.wired.com listening post 2008 02 keynote intervi ... more details
Encyclopedia
top
