Attacks/Breaches
3/21/2012
08:56 AM
Connect Directly
RSS
E-Mail
50%
50%

New Malware Puts Nasty Spin On Remote Control

Georbot Trojan steals remote-desktop configuration files to provide surreptitious access to targeted PCs, including recording audio and video.

Security researchers have discovered malware that scans PCs for remote-access or remote-desktop-configuration files, which indicates installed software that can be used to remotely control the computer. The malware, dubbed Georbot, then steals related credential files and transmits them to attackers, providing direct access to the machines using the built-in remote access tools.

The Georbot malware's capabilities were discovered in January by security researchers at antivirus firm ESET. "One of the analysts in our virus laboratories noticed that it was communicating with a domain belonging to the Georgian government [the country in southwestern Asia, not the U.S. state] in order to retrieve updates," according to a report that ESET released Wednesday. Notably, the malware connects with that server anytime it fails to connect to its designated command-and-control server.

ESET said that Georbot has been in circulation since at least September 2010, and had been updated at least 1,000 times. "It should be also noted that the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and, parallel to their own--still ongoing--monitoring, have cooperated with ESET on this matter," according to the report.

[ We're largely to blame for hacktivists' success. Read more: Anonymous Hackers' Helper: IT Security Neglect. ]

Other antivirus companies besides ESET had also spotted the malware, although none appeared to have taken a close look at what it was doing. Two months ago, however, ESET shared samples of Georbot with security companies, which has led to improved detection rates for the malware. Even so, the malware continues to be active, with ESET saying it saw the most recent variants launched Monday.

ESET said it's gained access to the botnet's control panel, allowing it to count the number of affected machines, their locations, as well as to deduce exactly which types of commands the information-stealing Trojan application can generate. For example, the malware can be used to record audio and video feeds from exploited PCs. ESET planned to detail those findings Wednesday in a meeting with the Georgian government. Until then, Pierre-Marc Bureau, a Montreal-based senior malware researcher at ESET, said in an interview that he wasn't prepared to speculate as to who might be behind the malware, or why certain people might have been targeted.

How common is this type of malware? "It's not the first time that I've seen it happen, but it's not as common as stealing credentials for FTP sites or website credentials," said Bureau, largely because those other types of credentials can be built into worms and used to launch automated attacks against large numbers of targets. "[Georbot] is something that wouldn't be used at a large scale, but in a more targeted attack," he said. If successful, however, such an attack would give an attacker full, remote access to the targeted PC.

By publishing its research into Georbot, however, won't ESET drive whoever's behind the botnet to make it go dark? "We hope so, yes," said Bureau. "We're continuing to monitor the situation, and we hope that by publishing this paper we help educate users, but if this can help some Internet providers to take on these servers, that will be a good ending."

Concern over attackers exploiting remote-control access tools on PCs has been growing, not just due to malware such as Georbot. Notably, proof-of-concept exploit code has already been published for a Remote Desktop Protocol vulnerability patched last week by Microsoft. Meanwhile, Symantec earlier this year warned pcAnywhere users to disable their installations, or else protect them with layered security, after discovering that in 2006 attackers had stolen the source code for the application, which they might be able to use to spot unknown, exploitable vulnerabilities.

Beyond hoping that antivirus scanners spot malware such as Georbot, or exploits targeting specific remote-access tools, what can businesses do to protect themselves?

"I don't think it makes sense for any company to have their remote-desktop services or pcAnywhere exposed directly to the Internet," said Bureau. "Multiple security layers should be applied, such as network filters to only allow access from specific locations, VPN for remote workers--or someone who needs to access internal data from an external location in an emergency--and also to secure your endpoints, and ensure they're patched. These are the standard procedures. I know it's easy to enumerate them, but harder to put them into practice."

Secure Sockets Layer isn't perfect, but there are ways to optimize it. The new Web Encryption That Works supplement from Dark Reading shows four places to start. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rsexton322
50%
50%
rsexton322,
User Rank: Apprentice
3/22/2012 | 12:24:58 PM
re: New Malware Puts Nasty Spin On Remote Control
Well this just stinks! I am a network admin, and I take care of more than one network, which is more than one location and more than one company. I do this at night while most normal people are sleeping, and you can bet your behind I do this via remote control tools. I've not clicked the links in this article so I have only read this, but without question other than "monitoring" which you can rest assured I am on who does monitor and log everything so that part of my job which is very time consuming is done. I really need a sure fire way to ensure I am protected from this, and I do have current counter measures in place that if this article is correct, will provide protection against this attack, but I will not disclose publicly, but should someone else need this type of protection, I am for hire. :-)
I would think any company of any size with any number of online computers need and want remote access. Even a one man show will at times need access to data located at the office and unless they want to revert back to sneaker-net, remote access is needed. If you don't have remote access again, I am for hire. :-)
Rob
904-262-6046
HH000
50%
50%
HH000,
User Rank: Apprentice
3/22/2012 | 6:06:03 AM
re: New Malware Puts Nasty Spin On Remote Control
Any kind of malware's can be get rid of using Comodo Antivirus.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
3/22/2012 | 12:29:49 AM
re: New Malware Puts Nasty Spin On Remote Control
At the root of all of this, this GeorBot seems to give an attacker a way of targeting specific users for their attack, rather than just picking random systems and going after full control of a system as opposed to shutting down or taking over specific services.

It's also somewhat amusing that the security research interviewed for this article is talking about ways of preventing this exploit at the end and how they are easier enumerated than accomplished. His recommendations are quite basic, quite simple and should be the first steps that anyone responsible for security on a network should take to assure the integrity of that network. Securing endpoints and making sure that they have all relevant patches is not hard with modern tools and is a requirement for a number of different legal compliance situations. But no matter what route you choose to secure systems, monitoring is an absolute must.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.