Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Im Rootkit Tracked To Middle East Group

  • Please log in to reply
No replies to this topic

#1 TeMerc


    Countermeasures Team Leader

  • Malware Response Team
  • 215 posts
  • Location:PHX., AZ.
  • Local time:11:13 AM

Posted 17 November 2005 - 10:44 AM

The Rootkit powered Botnet

"The great internet shakedown has begun, and to coin a phrase, it's clobberin' time."

Yet consider what our team has been able to ferret out lately -

  • A rather nasty IM virus tracked, jacked and nailed like a punk.
  • The "fake" Google Toolbar, traced back to IM and also tracked right back to 2003.
  • The notorious IM Rootkit, so hot they covered it twice in two days on Slashdot. Ye Gods.
And, after further investigation on the AIM rootkit story, we are fairly confident we have located the group behind this thing and have turned the information over to the FBI and other federal agencies.

What is scary here, is the potential for mass damage that we have seen through monitoring this group (based in the Middle East) nearly 24/7. They are slowly but surely building one of those huge botnets we all know and love, spread across the globe and it seems the lockx rootkit was simply the beach-head - the first wave. Naturally, we can only speculate and often researchers have to do just that - a good researcher knows their enemy, and follows a hunch when little evidence is on the table.

They spread the lockx rootkit via IM, hidden in with a big pile of advertising software. As I predicted at the time, the Adware stuff was likely just a decoy, to distract from the rootkit that came in the package.

Over 17,000 users were found to be compromised on a single server, and we found lots of those worldwide.

We spread all new kinds of malware, self-extracting zipfiles, altered file-names, modified infections ripped from other sources of distribution.....and this stuff does all of the below and then some:
  • Can steal your browser auto-complete data which may leak confidential personal information
  • Gain access to Microsoft Outlook Express
  • Open browsers to launch a denial of service attack, and/or
  • Download additional malicious applications
As you can see, the scale and ambition of this one is truly frightening. It also does not bode well if you subscribe to the “Porterism” kind of future. A mass of Botnets can wreak havoc on a world that is networked like never before - banks, emergency services, vital communications - you get the picture.

For more information on what to expect from this thing, check out the official FaceTime press release here.

Stay frosty, kids.

Full Read @ VitalSecurity.org
Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users