Pramro and Sality - two PEs in a pod
(Publication) Google search: [1]
| Pramro and Sality - two PEs in a pod | |
|---|---|
| |
| Botnet | Pramro, Sality |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / 2012-02-21 |
| Editor/Conference | Microsoft |
| Link | http://blogs.technet.com/b/mmpc/archive/2012/02/21/pramro-and-sality-two-pes-in-a-pod.aspx (Archive copy) |
| Author | Scott Molenkamp |
| Type | |
Abstract
“ The second of the families added to the February release of the Microsoft Malicious Software Removal Tool (MSRT) is Win32/Pramro. Win32/Pramro is a family of trojans that can act as a SOCKS proxy on an infected computer. In this case, this proxy may be used to relay spam and HTTP traffic. Detection was first added for Pramro variants in January 2008.
There is a strong connection with the polymorphic file infector Win32/Sality, which shares portions of code with Pramo. For example, let's examine one of the encrypted files which is currently downloaded by a variant of Worm:Win32/Sality.AU from the host ‘baulaung.org’. If we apply the key ‘GdiPlus.dll’ and a modified RC4 algorithm, the resultant output is a PE file. This file is detected as TrojanProxy:Win32/Pramro.F.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR895,
editor = {Microsoft},
author = {Scott Molenkamp},
title = {Pramro and Sality - two PEs in a pod},
date = {21},
month = Feb,
year = {2012},
howpublished = {\url{http://blogs.technet.com/b/mmpc/archive/2012/02/21/pramro-and-sality-two-pes-in-a-pod.aspx}},
}