new trojan - DFWstangs Forums
LinkBack Thread Tools Display Modes
post #1 of 3 (permalink) Old 03-21-2006, 08:18 PM Thread Starter
Rockin' da fumanchu
Join Date: Nov 2005
Location: On the straight and narrow,stumbling at best, only by Gods grace.
Posts: 7,224
new trojan

On March 20th, we here at Sana labs discovered an in-the-wild rootkit and Trojan that has been actively infecting machines since about the 16th of March. This kernel level rootkit was designed to stealth a Trojan that has some pretty scary capabilities. First, the Trojan can survive reboot and does not run as a separate process. Second, it can discover passwords used previously on a machine, so it does not need to log keystrokes. And third, since the Trojan is hidden by the rootkit, end users cannot see the Trojan on their disk.

This Trojan and rootkit was found during the investigation of an in-the-wild worm, named Win32.Alcra. This worm, if not stopped, attempted to contact various websites and download additional payloads. On one of these websites was the installer for this rootkit and Trojan. Once these components were silently installed on a machine, the Trojan invisibly starts communicating to yet another web server located in Russia. This web server acts as the repository for the stolen usernames and passwords.

One of the sites is still actively infecting machines. It attempts to download several pieces of Spyware, Adware, and Trojans, in addition to the rootkit. The rootkit has two pieces: the first piece is a device driver named 'zopenssld.sys', and a DLL named 'zopenssl.dll'. The device driver appears to cloak any file named 'zopenssld.sys' or 'zopenssl.dll' regardless of where they reside, though the malicious versions are located in the System32 folder.

While the DLL was invisible on the file system, it is visible as an injected DLL in many running processes. Since zopenssl.dll registers itself as a Winlogon.exe extension and does not run as a process, most users would never see it, and it can survive even in safe mode.

The Trojan appears not to be active at all times, but it does wake up and start communicating when it sees a user browsing to a website that requires authentication. To view it in action, a virtual machine was infected with the rootkit and Trojan, and then the user browsed to, and entered a fake username and password. All of the network traffic was recorded, and after ending the web browser session, the Trojan communication became apparent.

After further investigation, it was determined that this Malware was sending information to a web server located in Russia. Ironically, this web server was not secured, and any user browsing the site could view the information that was being stolen.

According to the dates on this web server, it has been active since at least the 16th of March. The oldest stolen data observed was from the 19th of March. Based on the sheer amount of data that has been stolen, the infection has been more than tripling in size every day.
Posted by Jeremy on March 21, 2006 09:54 AM

Listen to my buddy, Jeff Bolton, from 6-9 AM Mon-Fri.

Obamanomics = Trickle Up Poverty

Think you need to format/reinstall your OS(XP), read this first.
Tx Redneck is offline  
Sponsored Links
post #2 of 3 (permalink) Old 03-22-2006, 06:21 PM
KOZMO's Avatar
Join Date: Sep 2001
Location: There's a huge chance I've been registered longer than you.
Posts: 1,807
Ok, how do you end up gettin it? Where did it come from?

DFWSTANGS: just a jump-the-gun, criticize and judge-all-before-you-know-shit, racists, extremist, whats-a-mustang?, internet forum.
KOZMO is offline  
post #3 of 3 (permalink) Old 03-23-2006, 08:58 AM
mikeb's Avatar
Join Date: Mar 2001
Posts: 22,413
Originally Posted by KOZMO
Ok, how do you end up gettin it? Where did it come from?
More info:
mikeb is offline  
Sponsored Links


Quick Reply

Register Now

In order to be able to post messages on the DFWstangs Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Please enter a password for your user account. Note that passwords are case-sensitive.


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:


Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are On
Pingbacks are On
Refbacks are On

For the best viewing experience please update your browser to Google Chrome