Beijing, the Hotspot Location for Sykipot Servers: Symantec
Inspection by experts at Symantec revealed the clues that hint at Beijing, China to be the prime location for the execution of the command and control (C&C) server, the largest ISP of the country. On one such occasion, the attackers even employed a huge number of malicious files in the Zhejiang province, claims Symantec.
Researchers however, claimed that a majority of the files used during the attacks were comprised of a PDF that on the later stage dropped highly violent virus, Trojan. It is also assumed that other tools including gsecdump were also utilized successfully during the attack.
It has also been revealed that the files were also received and saved to the computer explicitly from a specific address employing a popular instant messaging client in Asia. However, researchers were incapable of tracing the contact number to a particular individual used in the malware circulation.
The experts acclimatized that the files were developed in a different location and copied into the system from removable drives through FTP or instant messaging clients. However, the researchers were incapable of tracing the individuals behind the scam or the computers employed.
In addition to the scam, the experts also revealed the possibility of several new domains being associated with the Skyipot attackers, of which most of them had the purpose of being a part of the Trojan's infrastructure.
On several occasions, researchers have observed attackers sending spiteful emails from the same server that hosted the C&C domains. As such, network administrators should apply this information for monitoring the attacks.
The Skyipot spammers' history of attacking various industries dates quite back. Thus, on the basis of all the aforementioned facts, indicate the proximity of attackers towards holding knowledge of the Chinese language and their mission take back computer resources in China, reveals Symantec.
It is thus held that the attackers managed to take control of another computer and later on found a tool that facilitated towards modifying the sent files, so that they could avoid surveillance.
The Skyipot also acclimatizes each attack with a unique number, so that they could evaluate the effectiveness of each of the assaults. This unique identification number is then concealed and hard coded into the malware, as reported by Symantec.
However, it is held that the team under Lockheed Martin that reported of the Reader vulnerability to Adobe could be targeted contractors of the attack. Though, Symantac never claimed China to be the home base of the Skyipot hackers, it cannot be with-held for long also.
Related article: Businesses Asked To Shoulder Security Of Online Transactions
» SPAMfighter News - 07-02-2012