Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


E-Mail Spreads Backdoor Among Website Hosting Companies

An attacker perpetrating to represent a hosting or collocation company is making attempts to trick people into installing an administration tool on their server machines. The tool would actually is managed remotely, says Symantec's Security Response Weblog.

The e-mail urges recipients to load a 'security guard script' on their servers but the script in the e-mail actually holds a backdoor program that enables remote control of that PC. The e-mail writes the instructions in the same manner as it would be from a computer helpdesk.

The Symantec blogger writes that the e-mail comes with the guard.zip attachment that includes guard.php meant for Linux servers and guard.asp meant for windows servers. The e-mail also instructs in detail which script to use in a particular server and how to install it appropriately.

The guard.php script attached to the e-mail is actually a backdoor - a Backdoor.Lamer, which when runs on a server provides the attacker with complete access to that server. The guard.php script is a tool version that encodes a remote administration tool called NSTView.

After installation of the script as per the instructions in the spam mail, the software connects to a Gmail account to report the IP address of the affected server. It is also likely to use an iframe lookup to track data on the infected system.

The fake e-mail addresses the recipient by a company name and calls them valued members. Then it says that according to the hosting company's yearly security regulations, it is providing a security guard script as an attachment. Recipients can secure their Websites by using the attached file in their sites by uploading "guard.php" in "./public_html" for UNIX/ Linux servers or by uploading "guard.asp" in "./wwwroot" for Windows servers using ASP. The company thanks readers for using their products and services and looks forward to provide better services. Then it signs off with best regards.

Since the e-mail's FROM says: address 'L4m3r', or 'Lamer', therefore, Symantec has named the Trojan 'Backdoor.Lamer' during its detection. These are targeted e-mails to specific and limited addresses that belong to customers of major hosting companies.

Related article: E-Crime Reporting Format To Be Launched in July

» SPAMfighter News - 12-03-2007

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page