[nsp-sec] ACK: system infected with proxy malware
Rodolfo Baader
rbaader at arcert.gov.ar
Mon May 3 15:37:42 EDT 2010
Hi,
ACK for AR ASNs: 7303, 10318, 10481, 10834, 11664, 13585, 19037, 20207, 22927,
27691, 27747, 27881, 27953, 27984
Notifications were sent to the abuse/noc departments.
Regards,
R.
Thomas Hungenberg wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> I'm sending the following information by courtesy of John LaCour from PhishLabs:
>
>
> The following systems are compromised PCs which are infected with a
> proxy/rootkit malware.
>
> This was captured from criminals who were selling lists of proxys.
>
> On the one system I did get access to with the help of an ISP, the malware
> was a randomly named .DLL in \windows\system32 that was running as a service
> named "Floppy Disk Monitor". It was protected by a rootkit driver so my
> recommendation is to reformat and reinstall Windows.
>
> The malware itself seems to communicate via peer to peer over port 80 and
> sends a POST to /s/ on its peers with obfuscated data. I think there's a
> .dat file with a random name in \windows\system32 which is used to bootstrap
> a list of peers.
>
> These were all verified by me between Tue Apr 27 17:07:34 2010 UTC and Tue
> Apr 27 22:11:30 2010 UTC.
>
>
> ASN IP Proxy TCP Port ASN Description
>
More information about the nsp-security
mailing list