Attacks/Breaches
3/21/2012
08:56 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

New Malware Puts Nasty Spin On Remote Control

Georbot Trojan steals remote-desktop configuration files to provide surreptitious access to targeted PCs, including recording audio and video.

Security researchers have discovered malware that scans PCs for remote-access or remote-desktop-configuration files, which indicates installed software that can be used to remotely control the computer. The malware, dubbed Georbot, then steals related credential files and transmits them to attackers, providing direct access to the machines using the built-in remote access tools.

The Georbot malware's capabilities were discovered in January by security researchers at antivirus firm ESET. "One of the analysts in our virus laboratories noticed that it was communicating with a domain belonging to the Georgian government [the country in southwestern Asia, not the U.S. state] in order to retrieve updates," according to a report that ESET released Wednesday. Notably, the malware connects with that server anytime it fails to connect to its designated command-and-control server.

ESET said that Georbot has been in circulation since at least September 2010, and had been updated at least 1,000 times. "It should be also noted that the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and, parallel to their own--still ongoing--monitoring, have cooperated with ESET on this matter," according to the report.

[ We're largely to blame for hacktivists' success. Read more: Anonymous Hackers' Helper: IT Security Neglect. ]

Other antivirus companies besides ESET had also spotted the malware, although none appeared to have taken a close look at what it was doing. Two months ago, however, ESET shared samples of Georbot with security companies, which has led to improved detection rates for the malware. Even so, the malware continues to be active, with ESET saying it saw the most recent variants launched Monday.

ESET said it's gained access to the botnet's control panel, allowing it to count the number of affected machines, their locations, as well as to deduce exactly which types of commands the information-stealing Trojan application can generate. For example, the malware can be used to record audio and video feeds from exploited PCs. ESET planned to detail those findings Wednesday in a meeting with the Georgian government. Until then, Pierre-Marc Bureau, a Montreal-based senior malware researcher at ESET, said in an interview that he wasn't prepared to speculate as to who might be behind the malware, or why certain people might have been targeted.

How common is this type of malware? "It's not the first time that I've seen it happen, but it's not as common as stealing credentials for FTP sites or website credentials," said Bureau, largely because those other types of credentials can be built into worms and used to launch automated attacks against large numbers of targets. "[Georbot] is something that wouldn't be used at a large scale, but in a more targeted attack," he said. If successful, however, such an attack would give an attacker full, remote access to the targeted PC.

By publishing its research into Georbot, however, won't ESET drive whoever's behind the botnet to make it go dark? "We hope so, yes," said Bureau. "We're continuing to monitor the situation, and we hope that by publishing this paper we help educate users, but if this can help some Internet providers to take on these servers, that will be a good ending."

Concern over attackers exploiting remote-control access tools on PCs has been growing, not just due to malware such as Georbot. Notably, proof-of-concept exploit code has already been published for a Remote Desktop Protocol vulnerability patched last week by Microsoft. Meanwhile, Symantec earlier this year warned pcAnywhere users to disable their installations, or else protect them with layered security, after discovering that in 2006 attackers had stolen the source code for the application, which they might be able to use to spot unknown, exploitable vulnerabilities.

Beyond hoping that antivirus scanners spot malware such as Georbot, or exploits targeting specific remote-access tools, what can businesses do to protect themselves?

"I don't think it makes sense for any company to have their remote-desktop services or pcAnywhere exposed directly to the Internet," said Bureau. "Multiple security layers should be applied, such as network filters to only allow access from specific locations, VPN for remote workers--or someone who needs to access internal data from an external location in an emergency--and also to secure your endpoints, and ensure they're patched. These are the standard procedures. I know it's easy to enumerate them, but harder to put them into practice."

Secure Sockets Layer isn't perfect, but there are ways to optimize it. The new Web Encryption That Works supplement from Dark Reading shows four places to start. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rsexton322
50%
50%
rsexton322,
User Rank: Apprentice
3/22/2012 | 12:24:58 PM
re: New Malware Puts Nasty Spin On Remote Control
Well this just stinks! I am a network admin, and I take care of more than one network, which is more than one location and more than one company. I do this at night while most normal people are sleeping, and you can bet your behind I do this via remote control tools. I've not clicked the links in this article so I have only read this, but without question other than "monitoring" which you can rest assured I am on who does monitor and log everything so that part of my job which is very time consuming is done. I really need a sure fire way to ensure I am protected from this, and I do have current counter measures in place that if this article is correct, will provide protection against this attack, but I will not disclose publicly, but should someone else need this type of protection, I am for hire. :-)
I would think any company of any size with any number of online computers need and want remote access. Even a one man show will at times need access to data located at the office and unless they want to revert back to sneaker-net, remote access is needed. If you don't have remote access again, I am for hire. :-)
Rob
904-262-6046
HH000
50%
50%
HH000,
User Rank: Apprentice
3/22/2012 | 6:06:03 AM
re: New Malware Puts Nasty Spin On Remote Control
Any kind of malware's can be get rid of using Comodo Antivirus.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
3/22/2012 | 12:29:49 AM
re: New Malware Puts Nasty Spin On Remote Control
At the root of all of this, this GeorBot seems to give an attacker a way of targeting specific users for their attack, rather than just picking random systems and going after full control of a system as opposed to shutting down or taking over specific services.

It's also somewhat amusing that the security research interviewed for this article is talking about ways of preventing this exploit at the end and how they are easier enumerated than accomplished. His recommendations are quite basic, quite simple and should be the first steps that anyone responsible for security on a network should take to assure the integrity of that network. Securing endpoints and making sure that they have all relevant patches is not hard with modern tools and is a requirement for a number of different legal compliance situations. But no matter what route you choose to secure systems, monitoring is an absolute must.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5704
Published: 2014-04-15
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

CVE-2013-5705
Published: 2014-04-15
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

CVE-2014-0341
Published: 2014-04-15
Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to ob...

CVE-2014-0342
Published: 2014-04-15
Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

CVE-2014-0348
Published: 2014-04-15
The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding...

Best of the Web