Incidents

Robots, vile robots everywhere!

The time of the flash internet worms which were able to spread to millions of machines in less than an hour has passed. Nowadays, we are living in the days of the trojans, phishing, password stealing and backdoors. However, combinations between fast spreading worms and very cunning trojans aren’t rare at all.

Thursday, 2nd of June around 17:12 GTM, we’ve received an interesting exploit from one of the machines which are part of the grand ‘Smallpot’ honeypot network. Slowly, more packets started to arrive and it became obvious that whatever was sending them was picking up momentum. Since the simplest explanation is usually the right one, the first guess was an Internet worm attack.

Investigation of the packets revealed a Microsoft ASN.1 exploit, which tries to download and run an executable from the attacking machine via TFTP. We’ve secured a binary and took a look under the cover. The responsible worm was a Rbot variant, 121504 bytes long and is generically detected by KAV as ‘Backdoor.Win32.Rbot.gen’. It is packed with the MEW runtime executable packer and it has an MD5 of ‘7fe7a8320bbd029a87e0228ff5d23053’.

Besides the ASN.1 exploit – and this is the first worm to use it successfully on the Internet – the Rbot variant uses a multitude of other exploits, DCOM, RPC, Veritas Backup Exec, LSASS, MSSQL, password guessing and so on. It also steals registration keys from a good list of popular games, PayPal accounts logins, has an embedded backdoor and of course, DDoS capabilities. Basically, it’s a worm which tries very hard to spread while at the same time, it tries to steal as many valuable data from the victim machine as it is available. It is a highly infectious worm, written for profit. And yes, most of the other worms we’re seeing nowadays are no different.

Three years ago, the worst thing that could happen to your computer was a corrupted flash ROM or a wiped HDD. In most cases, you could even recover the data from the HDD. Nowadays, a virus infection is much worse. Your computer may easily become the pawn of an organization of cybercriminals which is blackmailing companies over the Internet. Or your e-banking accounts are suddenly missing a few hundred euros. Or your valuable items from a virtual game on the Internet are suddenly somebody else’s. There are cases when people killed each other over such things.

With that in mind, I come up with a question: aren’t we becoming too addicted to our beloved computers? Is it really worth dying for a thing which only exists as polarized atoms on a plate, between other billions, 10000Km away? Are we becoming too dependent on technology, so soon? I’m afraid the answer has more implications than we are ready to accept.

Robots, vile robots everywhere!

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox