New Trojan Blocks Access To Bittorrent Websites: Webroot
Security researchers from Webroot lately detected a strange malicious program, which recreates the infected PCs' Hosts file so that users become unable to access well-known Bittorrent websites like Mininova and The Pirate Bay.
The program, reportedly, gets planted on Web-surfers' PCs with the help of a Trojan installer belonging to the Ponmocup group of malicious programs. And when planted, it shows itself like an executable file named update.exe.
Observes Webroot, the installer arrives through a domain name 'followme.name' that is on certain Russian server dealing with other cyber-criminal operations for disseminating malware.
Explain researchers at the security company that the program is made to look like Microsoft ScriptO version 6.0.6015.0, commonly one genuine dynamic link library on XP SP2 called scripto.dll. Nevertheless the PC Trojan is really an illegal executable of 326 kb size.
This Trojan, when run, waits before it installs and runs a malicious .exe payload whose name becomes different whenever the downloader is executed. Meanwhile, by allowing the payload's activity in a specific manner, the downloader becomes the sole element to manipulate itself, while the said permission too easily evades anti-malware software.
Moreover, the payload doesn't demonstrate as highly sophisticated, while its sole objective is to prevent access to Bittorrent websites. Webroot categorizes this payload to Trojan-Zoeken, which recreates the infected PC's Hosts file following which it cleans the system's DNS repository.
Evidently, the recreated file stops the user from accessing domains such as www.mininova.org, mininova.org, blog.mininova.org, forum.mininova.org, www.thepiratebay.org, thepiratebay.org, www.suprbay.org, suprbay.org etc.
A point of interest is that after the Trojan manages to do this task, it contacts with an HTML file on one distantly located server for more instructions. Thereafter, the impact is considerable on the contaminated machine as the Trojan suffocates the CPU.
Highlights Webroot, 25 anti-virus engines from the 43 on VirusTotal have detected the Trojan installer, although a few advanced detectors are still incapable.
Thus, as a word of caution, in case any Web-surfer discovers that he can't access the websites mentioned above then it means he must review the Hosts file on his computer and see if there's any new modification.
Related article: New Zealand Releases Code To Reduce Spam
» SPAMfighter News - 06-12-2010