Secrets of the Comfoo masters

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Secrets of the Comfoo masters
Botnet Comfoo
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2013 / 2013-07-31
Editor/Conference DELL SecureWorks
Link http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/ (Archive copy)
Author Joe Stewart, Don Jackson
Type Blogpost

Abstract

To maintain persistence on the system, Comfoo usually replaces the path to the DLL of an existing unused service rather than installing a new service. A new service is more likely to be noticed by system audits. Sometimes Comfoo is delivered with a rootkit that hides Comfoo's files on disk. Additionally, Comfoo starts the existing "ipnat" system service. This action causes remote inbound connections to the infected system to fail, blocking remote maintenance by the network administrator.

Bibtex

 @misc{Stewart2013BFR1362,
   editor = {DELL SecureWorks},
   author = {Joe Stewart, Don Jackson},
   title = {Secrets of the Comfoo masters},
   date = {31},
   month = Jul,
   year = {2013},
   howpublished = {\url{http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/}},
 }