E-Mail Spreads Backdoor Among Website Hosting Companies

An attacker perpetrating to represent a hosting or collocation company is making attempts to trick people into installing an administration tool on their server machines. The tool would actually is managed remotely, says Symantec's Security Response Weblog.

The e-mail urges recipients to load a 'security guard script' on their servers but the script in the e-mail actually holds a backdoor program that enables remote control of that PC. The e-mail writes the instructions in the same manner as it would be from a computer helpdesk.

The Symantec blogger writes that the e-mail comes with the guard.zip attachment that includes guard.php meant for Linux servers and guard.asp meant for windows servers. The e-mail also instructs in detail which script to use in a particular server and how to install it appropriately.

The guard.php script attached to the e-mail is actually a backdoor - a Backdoor.Lamer, which when runs on a server provides the attacker with complete access to that server. The guard.php script is a tool version that encodes a remote administration tool called NSTView.

After installation of the script as per the instructions in the spam mail, the software connects to a Gmail account to report the IP address of the affected server. It is also likely to use an iframe lookup to track data on the infected system.

The fake e-mail addresses the recipient by a company name and calls them valued members. Then it says that according to the hosting company's yearly security regulations, it is providing a security guard script as an attachment. Recipients can secure their Websites by using the attached file in their sites by uploading "guard.php" in "./public_html" for UNIX/ Linux servers or by uploading "guard.asp" in "./wwwroot" for Windows servers using ASP. The company thanks readers for using their products and services and looks forward to provide better services. Then it signs off with best regards.

Since the e-mail's FROM says: address 'L4m3r', or 'Lamer', therefore, Symantec has named the Trojan 'Backdoor.Lamer' during its detection. These are targeted e-mails to specific and limited addresses that belong to customers of major hosting companies.

Related article: E-Crime Reporting Format To Be Launched in July

» SPAMfighter News - 3/12/2007