Smart Trojan Hides as Java Update

Thursday, July 21, 2011 @ 02:07 PM gHale

A piece of malware that focuses as a distributed denial of service (DDoS) is going out looking like a Java update.

“We have recently come across this type of malware dissembling as a regular update to the Java platform,” said Loredana Botezatu of Romanian antivirus vendor BitDefender.

Stolen Certificates: True Attacker Booty
Cybercrime Motto: Knowledge Means Profit
Over 286 Million New Cyber Threats in ‘10
‘Night Dragon’ Cyber Attacks Big Oil

“Closer investigation on the file revealed more than meets the eye: A carefully-crafted piece of malware that is extremely viral […] and can be used as a powerful tool to initiate distributed denial-of-service attacks,” he said.

In addition to distribution from legitimate compromised websites, the piece of malware, which BitDefender detects as Backdoor.IRCBot.ADEQ, is capable of spreading itself through a variety of methods.

These include copying itself to folders shared by default by certain P2P applications, infecting USB drives, copying itself to network shares and sending itself via Windows Messenger or email.

The Trojan can also uninstall other DDoS bots including Cerberus, Blackshades, Cybergate, or the OrgeneraL DDoS Bot Cryptosuite which infect winlogon.exe, csrss.exe and services.exe.

The botmasters can schedule the bot to launch DDoS attacks against particular URLs at particular times, for predefined intervals of times and with a specific frequency of requests.

This capability suggests the bot’s creators might be running a pay-for-DDoS or botnet-for-hire business. Such activities are profitable and there are big botnets constructed for this purpose. Some of them are from paying customers via complex web interfaces.

Despite the high resource use associated with this type of malware, remaining undetected is a priority for this Trojan’s creators.

“The bot also tries to prevent the user from noticing that the Trojan is constantly sending data to the Internet,” Botezatu said. “It successfully adds itself to the list of authorized applications in the Windows Firewall, and tries to kill firewall alerts issued by antivirus solutions when they pop up.”

Leave a Reply

You must be logged in to post a comment.