Attacks/Breaches
3/21/2012
08:56 AM
50%
50%

New Malware Puts Nasty Spin On Remote Control

Georbot Trojan steals remote-desktop configuration files to provide surreptitious access to targeted PCs, including recording audio and video.

Security researchers have discovered malware that scans PCs for remote-access or remote-desktop-configuration files, which indicates installed software that can be used to remotely control the computer. The malware, dubbed Georbot, then steals related credential files and transmits them to attackers, providing direct access to the machines using the built-in remote access tools.

The Georbot malware's capabilities were discovered in January by security researchers at antivirus firm ESET. "One of the analysts in our virus laboratories noticed that it was communicating with a domain belonging to the Georgian government [the country in southwestern Asia, not the U.S. state] in order to retrieve updates," according to a report that ESET released Wednesday. Notably, the malware connects with that server anytime it fails to connect to its designated command-and-control server.

ESET said that Georbot has been in circulation since at least September 2010, and had been updated at least 1,000 times. "It should be also noted that the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and, parallel to their own--still ongoing--monitoring, have cooperated with ESET on this matter," according to the report.

[ We're largely to blame for hacktivists' success. Read more: Anonymous Hackers' Helper: IT Security Neglect. ]

Other antivirus companies besides ESET had also spotted the malware, although none appeared to have taken a close look at what it was doing. Two months ago, however, ESET shared samples of Georbot with security companies, which has led to improved detection rates for the malware. Even so, the malware continues to be active, with ESET saying it saw the most recent variants launched Monday.

ESET said it's gained access to the botnet's control panel, allowing it to count the number of affected machines, their locations, as well as to deduce exactly which types of commands the information-stealing Trojan application can generate. For example, the malware can be used to record audio and video feeds from exploited PCs. ESET planned to detail those findings Wednesday in a meeting with the Georgian government. Until then, Pierre-Marc Bureau, a Montreal-based senior malware researcher at ESET, said in an interview that he wasn't prepared to speculate as to who might be behind the malware, or why certain people might have been targeted.

How common is this type of malware? "It's not the first time that I've seen it happen, but it's not as common as stealing credentials for FTP sites or website credentials," said Bureau, largely because those other types of credentials can be built into worms and used to launch automated attacks against large numbers of targets. "[Georbot] is something that wouldn't be used at a large scale, but in a more targeted attack," he said. If successful, however, such an attack would give an attacker full, remote access to the targeted PC.

By publishing its research into Georbot, however, won't ESET drive whoever's behind the botnet to make it go dark? "We hope so, yes," said Bureau. "We're continuing to monitor the situation, and we hope that by publishing this paper we help educate users, but if this can help some Internet providers to take on these servers, that will be a good ending."

Concern over attackers exploiting remote-control access tools on PCs has been growing, not just due to malware such as Georbot. Notably, proof-of-concept exploit code has already been published for a Remote Desktop Protocol vulnerability patched last week by Microsoft. Meanwhile, Symantec earlier this year warned pcAnywhere users to disable their installations, or else protect them with layered security, after discovering that in 2006 attackers had stolen the source code for the application, which they might be able to use to spot unknown, exploitable vulnerabilities.

Beyond hoping that antivirus scanners spot malware such as Georbot, or exploits targeting specific remote-access tools, what can businesses do to protect themselves?

"I don't think it makes sense for any company to have their remote-desktop services or pcAnywhere exposed directly to the Internet," said Bureau. "Multiple security layers should be applied, such as network filters to only allow access from specific locations, VPN for remote workers--or someone who needs to access internal data from an external location in an emergency--and also to secure your endpoints, and ensure they're patched. These are the standard procedures. I know it's easy to enumerate them, but harder to put them into practice."

Secure Sockets Layer isn't perfect, but there are ways to optimize it. The new Web Encryption That Works supplement from Dark Reading shows four places to start. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rsexton322
50%
50%
rsexton322,
User Rank: Apprentice
3/22/2012 | 12:24:58 PM
re: New Malware Puts Nasty Spin On Remote Control
Well this just stinks! I am a network admin, and I take care of more than one network, which is more than one location and more than one company. I do this at night while most normal people are sleeping, and you can bet your behind I do this via remote control tools. I've not clicked the links in this article so I have only read this, but without question other than "monitoring" which you can rest assured I am on who does monitor and log everything so that part of my job which is very time consuming is done. I really need a sure fire way to ensure I am protected from this, and I do have current counter measures in place that if this article is correct, will provide protection against this attack, but I will not disclose publicly, but should someone else need this type of protection, I am for hire. :-)
I would think any company of any size with any number of online computers need and want remote access. Even a one man show will at times need access to data located at the office and unless they want to revert back to sneaker-net, remote access is needed. If you don't have remote access again, I am for hire. :-)
Rob
904-262-6046
HH000
50%
50%
HH000,
User Rank: Apprentice
3/22/2012 | 6:06:03 AM
re: New Malware Puts Nasty Spin On Remote Control
Any kind of malware's can be get rid of using Comodo Antivirus.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
3/22/2012 | 12:29:49 AM
re: New Malware Puts Nasty Spin On Remote Control
At the root of all of this, this GeorBot seems to give an attacker a way of targeting specific users for their attack, rather than just picking random systems and going after full control of a system as opposed to shutting down or taking over specific services.

It's also somewhat amusing that the security research interviewed for this article is talking about ways of preventing this exploit at the end and how they are easier enumerated than accomplished. His recommendations are quite basic, quite simple and should be the first steps that anyone responsible for security on a network should take to assure the integrity of that network. Securing endpoints and making sure that they have all relevant patches is not hard with modern tools and is a requirement for a number of different legal compliance situations. But no matter what route you choose to secure systems, monitoring is an absolute must.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9209
Published: 2015-03-30
Untrusted search path vulnerability in the Clean Utility application in Rockwell Automation FactoryTalk Services Platform before 2.71.00 and FactoryTalk View Studio 8.00.00 and earlier allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.