Christmas IM Worm a Nasty Present

Nother article here

http://www.pcworld.com/news/article/0,aid,124028,00.asp

explains a bit more about the URL you are visiting.

Isn't it ovious that rootkits are now the norn rather then the exception?

Guessing it still requires an unpatched browser.

controler

 

I heard of two scenarios.

One, the browser prompted but daughter downloaded the file anyway, thinking it was a picture, not realizing that .com is not your normal picture file. Anti-virus did not catch it.

Two, father has an intrusion prevention program - not sure what it is - but uses White List. The kids need his permission to download, and so, were blocked from downloading it.

I went directly to the site and watched it in action. It's a typical trojan downloader.

Santa Claus bot in action​

regards,

-rich
________________
~~Be ALERT!!! ~~

 

isc.sans.org reported that the santa claus site has been taken down.

Over at DSLR someone posted a link to a list of similar sites, and all but one had been taken down.

It seems like some organization is stepping up to remove more of these sites as they are discovered. Do you suppose just notifying the host service is what does it?

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Thanks for posting the article.

There is now some question as to whether or not a rootkit was involved:

http://isc.sans.org/diary.php?storyid=955

-rich

 

Was a rootkit involved or not?

 

We may never know.

A quick search for this worm (or bot) found 20+ tech news sites with this story - all referencing the same source: tc.imlogic.com which described "rootkit" and "keylogger" as part of the worm.

isc.sans.org evidently was the only other site which analyzed the executable, saying that there was no rootkit nor keylogger. Either imlogic did faulty analysis, or there was more than one version of the worm.

When I let the worm run step by step, nothing like that attempted to install and in this case, would be easy to block anyway.

Rookit

Rootkits are described as having an executable (dropper) and a .dll or .sys (driver):

Rootkit_PG

Rootkit_AE​

Keylogger

Key loggers are described as consisting of two files: a DLL which does all the work and an EXE which loads the DLL and sets the hook:

Keylogger_PG

Keylogger_AE​

From Kareldjag's concluding article in his rootkit series:

"Personal HIPS are the most important anti-rootkit defense after the firewall. Many of them have the ability to detect service/driver installation which are often required for rootkits. Moreover, theses Desktop IPS operate at a low level and acts as a service associated with a kernel driver."​

There are many other preventative measures, and his article makes for informative reading, especially the Conclusion section:

ROOTKITS PREVENTION MEASURES​

Sites reporting tech news are quick to pick up on stories like this Santa worm, especially when "rootkits" and "keyloggers" are involved. Often, the information is not very useful. From cooltechzone.com:

"Security experts say the malicious code usually surpasses firewall and other security software due to the validity of its name, Gift.com."​

Other sites also referred to "security experts."

But if an understanding of how these types of malware work, and proper preventative measures are in place, the fear factor of these loaded words ("rootkits", "keyloggers") will be reduced considerably.

regards,

-rich
________________
~~Be ALERT!!! ~~