Torpig - Back to the future or how the most sophisticated trojan in 2008 reinvents itself

From Botnets.fr
Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Torpig - Back to the future or how the most sophisticated trojan in 2008 reinvents itself
Botnet Torpig
Malware Mebroot, Sinowal, ZeuS
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2011 / 2011-06-16
Editor/Conference Andreas Baumhof
Link http://www.tidos-group.com/blog/?p=362 tidos-group.com (Trustdefender) (tidos-group.com (Trustdefender) Archive copy)
Author Andreas Baumhof
Type Blogpost

Abstract

We have seen many different examples how improvements in the security landscape have forced the bad guys to change tactics and achieve their results via different, potentially less useful, methods.

A prime example is the introduction of UAC in Windows 7 together with the default user not running as administrator. This poses a tricky question for malware developers: Do I ask for elevation (UAC) and risk that users get suspicious, or do I do whatever I can without administration privileges?

Well the answer has been given. We’ve analysed ZeuS before and ZeuS will not bring up the UAC and will only infect the currently logged in user.

In this TrustDefender Labs report we look at a new strain of the notorious Torpig Trojan that gained massive publicity in 2008 when it was distributed together with the Mebroot / MBR virus. In this report we look at a new variant that will do an impressive amount of things completely without administrator privileges.

On a positive note, the lack of privileges restricts the trojan’s ability to hide itself deep in the system and is much easier to detect and remove.

Bibtex

 @misc{Baumhof2011BFR916,
   editor = {Andreas Baumhof},
   author = {Andreas Baumhof},
   title = {Torpig - Back to the future or how the most sophisticated trojan in 2008 reinvents itself},
   date = {16},
   month = Jun,
   year = {2011},
   howpublished = {\url{http://www.tidos-group.com/blog/?p=362 tidos-group.com (Trustdefender)}},
 }