Jump to content

Build Theme!
  • Infected?


Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92256 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


IM Rootkit Tracked To Middle East Group

  • Please log in to reply
No replies to this topic

#1 TeMerc



  • Visiting Fellow
  • PipPipPipPip
  • 626 posts

Posted 17 November 2005 - 10:16 AM

The Rootkit powered Botnet

"The great internet shakedown has begun, and to coin a phrase, it's clobberin' time."

Yet consider what our team has been able to ferret out lately -

  • A rather nasty IM virus tracked, jacked and nailed like a punk.
  • The "fake" Google Toolbar, traced back to IM and also tracked right back to 2003.
  • The notorious IM Rootkit, so hot they covered it twice in two days on Slashdot. Ye Gods.

And, after further investigation on the AIM rootkit story, we are fairly confident we have located the group behind this thing and have turned the information over to the FBI and other federal agencies.

What is scary here, is the potential for mass damage that we have seen through monitoring this group (based in the Middle East) nearly 24/7. They are slowly but surely building one of those huge botnets we all know and love, spread across the globe and it seems the lockx rootkit was simply the beach-head - the first wave. Naturally, we can only speculate and often researchers have to do just that - a good researcher knows their enemy, and follows a hunch when little evidence is on the table.

They spread the lockx rootkit via IM, hidden in with a big pile of advertising software. As I predicted at the time, the Adware stuff was likely just a decoy, to distract from the rootkit that came in the package.

Over 17,000 users were found to be compromised on a single server, and we found lots of those worldwide.

We spread all new kinds of malware, self-extracting zipfiles, altered file-names, modified infections ripped from other sources of distribution.....and this stuff does all of the below and then some:

  • Can steal your browser auto-complete data which may leak confidential personal information
  • Gain access to Microsoft Outlook Express
  • Open browsers to launch a denial of service attack, and/or
  • Download additional malicious applications

As you can see, the scale and ambition of this one is truly frightening. It also does not bode well if you subscribe to the “Porterism” kind of future. A mass of Botnets can wreak havoc on a world that is networked like never before - banks, emergency services, vital communications - you get the picture.

For more information on what to expect from this thing, check out the official FaceTime press release here.

Stay frosty, kids.

Full Read @ VitalSecurity.org


Register to Remove

Related Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users