Torpig - Back to the future or how the most sophisticated trojan in 2008 reinvents itself
(Publication) Google search: [1]
Torpig - Back to the future or how the most sophisticated trojan in 2008 reinvents itself | |
---|---|
Botnet | Torpig |
Malware | Mebroot, Sinowal, ZeuS |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2011 / 2011-06-16 |
Editor/Conference | Andreas Baumhof |
Link | http://www.tidos-group.com/blog/?p=362 tidos-group.com (Trustdefender) (tidos-group.com (Trustdefender) Archive copy) |
Author | Andreas Baumhof |
Type | Blogpost |
Abstract
“ We have seen many different examples how improvements in the security landscape have forced the bad guys to change tactics and achieve their results via different, potentially less useful, methods.
A prime example is the introduction of UAC in Windows 7 together with the default user not running as administrator. This poses a tricky question for malware developers: Do I ask for elevation (UAC) and risk that users get suspicious, or do I do whatever I can without administration privileges?
Well the answer has been given. We’ve analysed ZeuS before and ZeuS will not bring up the UAC and will only infect the currently logged in user.
In this TrustDefender Labs report we look at a new strain of the notorious Torpig Trojan that gained massive publicity in 2008 when it was distributed together with the Mebroot / MBR virus. In this report we look at a new variant that will do an impressive amount of things completely without administrator privileges.
On a positive note, the lack of privileges restricts the trojan’s ability to hide itself deep in the system and is much easier to detect and remove.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR916, editor = {Andreas Baumhof}, author = {Andreas Baumhof}, title = {Torpig - Back to the future or how the most sophisticated trojan in 2008 reinvents itself}, date = {16}, month = Jun, year = {2011}, howpublished = {\url{http://www.tidos-group.com/blog/?p=362 tidos-group.com (Trustdefender)}}, }