Scary malware tricks part 1

Scary malware tricks part 1

Summary: In keeping with this Halloween season, I'm starting a series on scary malware tricks, similar to last year's series on spyware tricks. Perhaps my personal focus has changed, but it seems to me spyware tricks are becoming far more devious and destructive.

SHARE:
TOPICS: Malware
5

In keeping with this Halloween season, I'm starting a series on scary malware tricks, similar to last year's series on spyware tricks. Perhaps my personal focus has changed, but it seems to me spyware tricks are becoming far more devious and destructive. Last year I was testing mostly adware, whereas this year I'm testing more trojans, backdoors, rootkits, etc. Also scary -- botnets are reportedly growing in frightening numbers.

CNET's Joris Evers reported on the recent Virus Bulletin Conference, saying the future of malware is trojan horses. Instant messaging worms are on the rise. Rootkit-based malware is spookiest, and some IM worms are infecting users with rootkits.

Just this week we learned that Apple shipped some iPods with a trojan, (not to mention that Apple tried to push the blame on Microsoft.) In their announcement, Apple used the word virus, but it's more like a worm with a backdoor trojan component.

The name of the malware process on the infected iPods is RavMone.exe. Symantec has a good description here, calling it W32.Rajump. When I first read the description, the name was Backdoor.Rajump, but either way, its malicious payload is the same. On initial infection, the malware creates RavMone.exe in the Windows directory and puts itself in a Run key in the registry to make sure it starts with every Windows boot-up. Symantec says it open a TCP port and immediately tries to phone home to the following URLs:

  • [http://]natrocket.kmip.net:5288/ret[REMOVED]
  • [http://]natrocket.kmip.net:5288/ies[REMOVED]
  • [http://]natrocket.9966.org:5288/ies[REMOVED]
  • [http://]scipaper.kmip.net:80/ies[REMOVED]
  • What happens next is anyone's guess, but with a backdoor, it can be ugly. Both domains shown appear to be Chinese, as seen here and here. There has been some speculation that perhaps the infected iPods were shipped from a "contract manufacturer", using Apple's words, in China, but I've not seen any confirmation of that. If anyone has a sample of RavMone.exe, I'd be interested in getting it to test. My ZDNet bio has a contact form here.

    Another example of very scary technology is the Gromozon rootkit, aka Trojan.LinkOptimizer. I'll write about Gromozon in the next article in the series.

    Gallery: Nine more Firefox add-ons to try

    Gallery: Nine more Firefox add-ons to try Gallery: Nine more Firefox add-ons to try · More Photo Galleries

    http://content.zdnet.com/2346-9595_22-289082.html?tag=gald

    Oracle critical patch · FoxNews scareware Microsoft: Exchange 2010 beta today · Office 2007 SP2 April 28

    Microsoft: Exchange 2010 beta today · Tier your workforce, save money

    Jason Hiner: With industry giants like Cisco, Apple, Microsoft and Google racking up huge cash reserves, and the market price of many public tech companies on a "50% off sale", consolidation is in the air. Although the IBM-Sun deal fell apart, expect more tech acquisitions in 2009. These are most likely...

    Photos: The robot designs of iRobot Photos: Cracking open the Dell Adamo · More Photo Galleries

    Apple releases third iPhone 3.0 beta

    · How to adopt iPhone in the enterprise

    http://blogs.zdnet.com/Apple/?p=3697

    Photos: The robot designs of iRobot Photos: The robot designs of iRobot · More Photo Galleries

    http://content.zdnet.com/2346-9595_22-288760.html?tag=gald

    Topic: Malware

    Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

    Talkback

    5 comments
    Log in or register to join the discussion
    • Uncomplicate your computing experience

      and just get one of those new fangled macbookpros or ibook macbooks or what ever Apple is calling the intel based PCs these days. The unix osx is such a refresing change, no need to buy any security add ons, Apple will send it to you for free every monday if you want it. No actual incidents with virus or worms in 5 years. No addware or spyware can be sneaked into your system without admin password verification. Built in file encryption, software firewall, stealth web surfing, CAC PKI card compatibility, etc. It just works as advertized. Even PC mag gives it the thummbs up. Apple does not force you to register your OS installs either. But for an additional $25 you can legally install the OS on every home use apple computer you have to install it on. Show that to $soft!
      R.
      ralphrides
    • RE: Scary malware tricks part 1

      http://www.analogstereo.com/vacuum_sealer/commercial_vacuum_sealer.htm
      dd_forums
    • malware protect

      virus. Trojans, worms, spyware, and adware all depend on your computer staying up and running and they send your privacy informations to your enemies hackers and peoples who wants to get into to you.You can prevent them understanding the teats this guide will help you for that
      http://www.tutorial-net.blogspot.com/2008/04/malware-quiz.html
      ptzkiller
    • RE: Scary malware tricks part 1

      i cannot stress enough to people on the importance of using a firewall, its even more important then having a virus software... Now for those who have windows 7, it comes with a solid built in firewall so you will not have to worry. If you use any other OS, my suggestion is for you to use Zone Alarm, a great firewall for your PC and its free. :)
      For more info, please visit <a href="http://www.softe.org">my virus Spyware removal blog</a> happy new year
      littlephoenix
    • RE: Scary malware tricks part 1

      Suzi Turner,
      I was searching the web and found your entry. I really like your site and found it worth while reading through the posts.Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's informed consent.

      By the way for more information check this link: http://www.eccouncil.org/certification/certified_ethical_hacker.aspx
      smith white