Secrets of the Comfoo masters
(Publication) Google search: [1]
Secrets of the Comfoo masters | |
---|---|
Botnet | Comfoo |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2013 / 2013-07-31 |
Editor/Conference | DELL SecureWorks |
Link | http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/ www.secureworks.com (www.secureworks.com Archive copy) |
Author | Joe Stewart, Don Jackson |
Type | Blogpost |
Abstract
“ To maintain persistence on the system, Comfoo usually replaces the path to the DLL of an existing unused service rather than installing a new service. A new service is more likely to be noticed by system audits. Sometimes Comfoo is delivered with a rootkit that hides Comfoo's files on disk. Additionally, Comfoo starts the existing "ipnat" system service. This action causes remote inbound connections to the infected system to fail, blocking remote maintenance by the network administrator.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1362, editor = {DELL SecureWorks}, author = {Joe Stewart, Don Jackson}, title = {Secrets of the Comfoo masters}, date = {31}, month = Jul, year = {2013}, howpublished = {\url{http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/ www.secureworks.com}}, }