Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in you inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
  • Go

E-Mail Spreads Backdoor Among Website Hosting Companies

An attacker perpetrating to represent a hosting or collocation company is making attempts to trick people into installing an administration tool on their server machines. The tool would actually is managed remotely, says Symantec's Security Response Weblog.

The e-mail urges recipients to load a 'security guard script' on their servers but the script in the e-mail actually holds a backdoor program that enables remote control of that PC. The e-mail writes the instructions in the same manner as it would be from a computer helpdesk.

The Symantec blogger writes that the e-mail comes with the guard.zip attachment that includes guard.php meant for Linux servers and guard.asp meant for windows servers. The e-mail also instructs in detail which script to use in a particular server and how to install it appropriately.

The guard.php script attached to the e-mail is actually a backdoor - a Backdoor.Lamer, which when runs on a server provides the attacker with complete access to that server. The guard.php script is a tool version that encodes a remote administration tool called NSTView.

After installation of the script as per the instructions in the spam mail, the software connects to a Gmail account to report the IP address of the affected server. It is also likely to use an iframe lookup to track data on the infected system.

The fake e-mail addresses the recipient by a company name and calls them valued members. Then it says that according to the hosting company's yearly security regulations, it is providing a security guard script as an attachment. Recipients can secure their Websites by using the attached file in their sites by uploading "guard.php" in "./public_html" for UNIX/ Linux servers or by uploading "guard.asp" in "./wwwroot" for Windows servers using ASP. The company thanks readers for using their products and services and looks forward to provide better services. Then it signs off with best regards.

Since the e-mail's FROM says: address 'L4m3r', or 'Lamer', therefore, Symantec has named the Trojan 'Backdoor.Lamer' during its detection. These are targeted e-mails to specific and limited addresses that belong to customers of major hosting companies.

Related article: E-Crime Reporting Format To Be Launched in July

» SPAMfighter News - 12-03-2007

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next