Christmas IM Worm a Nasty Present

Discussion in 'malware problems & news' started by ronjor, Dec 20, 2005.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    Story
     
  2. controler

    controler Guest

  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I heard of two scenarios.

    One, the browser prompted but daughter downloaded the file anyway, thinking it was a picture, not realizing that .com is not your normal picture file. Anti-virus did not catch it.

    Two, father has an intrusion prevention program - not sure what it is - but uses White List. The kids need his permission to download, and so, were blocked from downloading it.

    I went directly to the site and watched it in action. It's a typical trojan downloader.


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    Thanks Rich. Nicely done.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    isc.sans.org reported that the santa claus site has been taken down.

    Over at DSLR someone posted a link to a list of similar sites, and all but one had been taken down.

    It seems like some organization is stepping up to remove more of these sites as they are discovered. Do you suppose just notifying the host service is what does it?

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for posting the article.

    There is now some question as to whether or not a rootkit was involved:

    http://isc.sans.org/diary.php?storyid=955

    -rich
     
  7. controler

    controler Guest

    Was a rootkit involved or not?
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    We may never know.

    A quick search for this worm (or bot) found 20+ tech news sites with this story - all referencing the same source: tc.imlogic.com which described "rootkit" and "keylogger" as part of the worm.

    isc.sans.org evidently was the only other site which analyzed the executable, saying that there was no rootkit nor keylogger. Either imlogic did faulty analysis, or there was more than one version of the worm.

    When I let the worm run step by step, nothing like that attempted to install and in this case, would be easy to block anyway.

    Rookit

    Rootkits are described as having an executable (dropper) and a .dll or .sys (driver):



    Keylogger

    Key loggers are described as consisting of two files: a DLL which does all the work and an EXE which loads the DLL and sets the hook:



    From Kareldjag's concluding article in his rootkit series:

    "Personal HIPS are the most important anti-rootkit defense after the firewall. Many of them have the ability to detect service/driver installation which are often required for rootkits. Moreover, theses Desktop IPS operate at a low level and acts as a service associated with a kernel driver."​

    There are many other preventative measures, and his article makes for informative reading, especially the Conclusion section:


    Sites reporting tech news are quick to pick up on stories like this Santa worm, especially when "rootkits" and "keyloggers" are involved. Often, the information is not very useful. From cooltechzone.com:

    "Security experts say the malicious code usually surpasses firewall and other security software due to the validity of its name, Gift.com."​

    Other sites also referred to "security experts."

    But if an understanding of how these types of malware work, and proper preventative measures are in place, the fear factor of these loaded words ("rootkits", "keyloggers") will be reduced considerably.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Dec 26, 2005
Loading...
Thread Status:
Not open for further replies.