Blog for hpHosts, and whatever else I feel like writing about ....

Saturday, 11 September 2010

Shiz and Rohimafo: Malware Cousins

Before you read this, just an FYI folks, I know the hpHosts release is a little late, this is due to my being down the other end of the country between Tuesday 7th - Thursday 9th. I'm now expecting to have a release out by Thursday/Friday.

Over the course of the last few weeks, our malware sandboxes have analyzed several interesting specimens with malicious activities that include the making of significant modifications to the routing table on the victim host; the effect of these changes is to essentially null-route a large number of /24 IP blocks, one of which is assigned to the U. S. Department of Justice.

As usual, the malicious activity begins with the running of an initial dropper executable. This dropper immediately copies itself verbatim into the Windows system directory with an (apparently) randomly generated new file name; examples include 5b8388e0.exe, 593a1edf.exe, and d4f11d84.exe.

The malware then adds an entry to the following Registry key to ensure that the installed version of itself is launched each time the machine restarts:

Read more

No comments: