Over the course of the last few weeks, our malware sandboxes have analyzed several interesting specimens with malicious activities that include the making of significant modifications to the routing table on the victim host; the effect of these changes is to essentially null-route a large number of /24 IP blocks, one of which is assigned to the U. S. Department of Justice.
As usual, the malicious activity begins with the running of an initial dropper executable. This dropper immediately copies itself verbatim into the Windows system directory with an (apparently) randomly generated new file name; examples include 5b8388e0.exe, 593a1edf.exe, and d4f11d84.exe.
The malware then adds an entry to the following Registry key to ensure that the installed version of itself is launched each time the machine restarts:
As usual, the malicious activity begins with the running of an initial dropper executable. This dropper immediately copies itself verbatim into the Windows system directory with an (apparently) randomly generated new file name; examples include 5b8388e0.exe, 593a1edf.exe, and d4f11d84.exe.
The malware then adds an entry to the following Registry key to ensure that the installed version of itself is launched each time the machine restarts:
Read more
http://asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/
No comments:
Post a Comment