FireEye Unravels Association between Backdoor.ADDNEW and Gh0st RAT
According to researchers at FireEye the security company, the notorious RAT (Remote Access Trojan) namely Gh0st is spreading infection together with Backdoor.ADDNEW a novel kind of backdoor Trojan which seizes passwords stored in Firefox while carries out Distributed Denial-of-Service assaults.
Gh0st that's basically used for online spying, targets Windows computers while having phone-home abilities for certain C&C (command-and-control) server. As the malware controllers maneuver Gh0st-contamianted systems remotely, they plant more malware that include surveillance-featured programs especially keyloggers. The attacks are mainly aimed at high-profile persons' computer systems within the government, finance and also the military.
ADDNEW, in the meantime, complements Gh0st, says Zheng Bu, Senior Director of Security Research at FireEye. He adds that both the malware programs exchange messages with the identical C&C Internet Protocol address (220.127.116.11) through various ports.
Also, the majority of Gh0st infections are linked with China-based command-and-control servers whereas the ADDNEW contaminations are associated with a France situated IP address. When Gh0st came into existence, China-based hackers were its chief users, says Bu. Further, according to Bu, when the developers of Gh0st published the remote access Trojan's source code for many versions, it became possible for attackers to use it by modifying wherever necessary.
The security researchers at FireEye who investigated Gh0st found that the computers that became contaminated with ADDNEW became contaminated with Gh0st as well in 7 days. Thereafter, the PCs utilized one trickiest keyword of Gh0st for communicating with the related C&Cs, elucidates Security Content Researcher Vinay Pidathala for FireEye. Darkreading.com published this dated November 6, 2012.
Here it needs mention that ADDNEW, alongside filching passwords as well as aiding in DDoS assaults, is importantly, derived from the DaRK DDoSer Russian malware that results in the backdoor's association with the alleged China related Gh0st even more intriguing.
Actually, a still continuing examination by FireEye of the command elements pertaining to ADDNEW indicates that several connecting elements exist within the binary relating to the DaRK DDoSer. It's therefore solely a matter of speculation whether there's a complementary relationship between Gh0st RAT and the DaRK DDoSer as well, remarks Pidathala. Infosecurity-magazine.com published this dated November 6, 2012.
Related article: Free Web Host Services: spammer’s bull’s eye
» SPAMfighter News - 13-11-2012