Secrets of the Comfoo masters

From Botnets.fr
Revision as of 11:51, 31 July 2015 by Eric.freyssinet (talk | contribs) (Text replacement - "/ www." to "/ |Site=www.")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Secrets of the Comfoo masters
Botnet Comfoo
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2013 / 2013-07-31
Editor/Conference DELL SecureWorks
Link http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/ (Archive copy)
Author Joe Stewart, Don Jackson
Type Blogpost

Abstract

To maintain persistence on the system, Comfoo usually replaces the path to the DLL of an existing unused service rather than installing a new service. A new service is more likely to be noticed by system audits. Sometimes Comfoo is delivered with a rootkit that hides Comfoo's files on disk. Additionally, Comfoo starts the existing "ipnat" system service. This action causes remote inbound connections to the infected system to fail, blocking remote maintenance by the network administrator.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1362,
   editor = {DELL SecureWorks},
   author = {Joe Stewart, Don Jackson},
   title = {Secrets of the Comfoo masters},
   date = {31},
   month = Jul,
   year = {2013},
   howpublished = {\url{http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/}},
 }