Attacks/Breaches
3/21/2012
08:56 AM
50%
50%

New Malware Puts Nasty Spin On Remote Control

Georbot Trojan steals remote-desktop configuration files to provide surreptitious access to targeted PCs, including recording audio and video.

Security researchers have discovered malware that scans PCs for remote-access or remote-desktop-configuration files, which indicates installed software that can be used to remotely control the computer. The malware, dubbed Georbot, then steals related credential files and transmits them to attackers, providing direct access to the machines using the built-in remote access tools.

The Georbot malware's capabilities were discovered in January by security researchers at antivirus firm ESET. "One of the analysts in our virus laboratories noticed that it was communicating with a domain belonging to the Georgian government [the country in southwestern Asia, not the U.S. state] in order to retrieve updates," according to a report that ESET released Wednesday. Notably, the malware connects with that server anytime it fails to connect to its designated command-and-control server.

ESET said that Georbot has been in circulation since at least September 2010, and had been updated at least 1,000 times. "It should be also noted that the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and, parallel to their own--still ongoing--monitoring, have cooperated with ESET on this matter," according to the report.

[ We're largely to blame for hacktivists' success. Read more: Anonymous Hackers' Helper: IT Security Neglect. ]

Other antivirus companies besides ESET had also spotted the malware, although none appeared to have taken a close look at what it was doing. Two months ago, however, ESET shared samples of Georbot with security companies, which has led to improved detection rates for the malware. Even so, the malware continues to be active, with ESET saying it saw the most recent variants launched Monday.

ESET said it's gained access to the botnet's control panel, allowing it to count the number of affected machines, their locations, as well as to deduce exactly which types of commands the information-stealing Trojan application can generate. For example, the malware can be used to record audio and video feeds from exploited PCs. ESET planned to detail those findings Wednesday in a meeting with the Georgian government. Until then, Pierre-Marc Bureau, a Montreal-based senior malware researcher at ESET, said in an interview that he wasn't prepared to speculate as to who might be behind the malware, or why certain people might have been targeted.

How common is this type of malware? "It's not the first time that I've seen it happen, but it's not as common as stealing credentials for FTP sites or website credentials," said Bureau, largely because those other types of credentials can be built into worms and used to launch automated attacks against large numbers of targets. "[Georbot] is something that wouldn't be used at a large scale, but in a more targeted attack," he said. If successful, however, such an attack would give an attacker full, remote access to the targeted PC.

By publishing its research into Georbot, however, won't ESET drive whoever's behind the botnet to make it go dark? "We hope so, yes," said Bureau. "We're continuing to monitor the situation, and we hope that by publishing this paper we help educate users, but if this can help some Internet providers to take on these servers, that will be a good ending."

Concern over attackers exploiting remote-control access tools on PCs has been growing, not just due to malware such as Georbot. Notably, proof-of-concept exploit code has already been published for a Remote Desktop Protocol vulnerability patched last week by Microsoft. Meanwhile, Symantec earlier this year warned pcAnywhere users to disable their installations, or else protect them with layered security, after discovering that in 2006 attackers had stolen the source code for the application, which they might be able to use to spot unknown, exploitable vulnerabilities.

Beyond hoping that antivirus scanners spot malware such as Georbot, or exploits targeting specific remote-access tools, what can businesses do to protect themselves?

"I don't think it makes sense for any company to have their remote-desktop services or pcAnywhere exposed directly to the Internet," said Bureau. "Multiple security layers should be applied, such as network filters to only allow access from specific locations, VPN for remote workers--or someone who needs to access internal data from an external location in an emergency--and also to secure your endpoints, and ensure they're patched. These are the standard procedures. I know it's easy to enumerate them, but harder to put them into practice."

Secure Sockets Layer isn't perfect, but there are ways to optimize it. The new Web Encryption That Works supplement from Dark Reading shows four places to start. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rsexton322
50%
50%
rsexton322,
User Rank: Apprentice
3/22/2012 | 12:24:58 PM
re: New Malware Puts Nasty Spin On Remote Control
Well this just stinks! I am a network admin, and I take care of more than one network, which is more than one location and more than one company. I do this at night while most normal people are sleeping, and you can bet your behind I do this via remote control tools. I've not clicked the links in this article so I have only read this, but without question other than "monitoring" which you can rest assured I am on who does monitor and log everything so that part of my job which is very time consuming is done. I really need a sure fire way to ensure I am protected from this, and I do have current counter measures in place that if this article is correct, will provide protection against this attack, but I will not disclose publicly, but should someone else need this type of protection, I am for hire. :-)
I would think any company of any size with any number of online computers need and want remote access. Even a one man show will at times need access to data located at the office and unless they want to revert back to sneaker-net, remote access is needed. If you don't have remote access again, I am for hire. :-)
Rob
904-262-6046
HH000
50%
50%
HH000,
User Rank: Apprentice
3/22/2012 | 6:06:03 AM
re: New Malware Puts Nasty Spin On Remote Control
Any kind of malware's can be get rid of using Comodo Antivirus.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
3/22/2012 | 12:29:49 AM
re: New Malware Puts Nasty Spin On Remote Control
At the root of all of this, this GeorBot seems to give an attacker a way of targeting specific users for their attack, rather than just picking random systems and going after full control of a system as opposed to shutting down or taking over specific services.

It's also somewhat amusing that the security research interviewed for this article is talking about ways of preventing this exploit at the end and how they are easier enumerated than accomplished. His recommendations are quite basic, quite simple and should be the first steps that anyone responsible for security on a network should take to assure the integrity of that network. Securing endpoints and making sure that they have all relevant patches is not hard with modern tools and is a requirement for a number of different legal compliance situations. But no matter what route you choose to secure systems, monitoring is an absolute must.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.