Cyber Thugs Disseminate Winnti Malicious Program Utilizing Genuine Analysis Tool

Trend Micro has said that hackers are disseminating Winnti a malicious program for compromising Web-surfers' computers by employing one fresh backdoor Trojan through an analysis tool which isn't a fake.

The backdoor known as "Bkdr_Tengo.A pretends to be one genuine Dynamic Link Library (DLL) file that has been labeled winmm.dll

The above pretence isn't new for Winnti. Nevertheless, there's something interesting about the backdoor. It's crafted for appearing as an authentic system library via abusing Aheadlib.

Aheadlib is really an authentic tool for analysis which helps in creating C code out of Dynamic Link Library files. It has the capability for hooking each-and-every activity that the initial DLL provides.

Although Aheadlib works extremely well in analyzing malware, cyber-criminals too may utilize it but for sinister reasons.

Luckily, within the current instance, the malware hasn't been encrypted, therefore, security researchers managed in analyzing it easily.

According to them, the threat has been created for seizing Microsoft Office, Portable Document Format (PDF) files and Tagged Image File Format (TIFF) files that maybe on Universal Serial Bus (USB) devices plugged into a contaminated PC.

Threat Research Engineer Eduardo Altares of Trend Micro stated that the stolen files were stacked inside the Windows directory. The threat as well crafted one log file. As for retrieving the stolen files, the attacker could do it later. Moreover, the threat issued many backdoor commands that helped in the 'machine compromise,' Altares added. V3.co.uk published this, May 10, 2013.

Meanwhile, there wasn't any manner whereby it could be known whether the new assault by Winnti had its source in China since its associated Internet Protocol addresses exuded conflicting knowledge regarding the attack's origin, Altares said.

According to him, 2 IP addresses from the total recognized, proved essentially intriguing. Those were 98.143.145.118 and 50.93.204.62 based in USA. However, many Chinese-language URLs too directed towards them. The URLs wholly had been blocked like they were C&C servers. The assault outlined the manner of information theft despite the inherent malware not being especially sophisticated. It as well indicated certain challenges while assigning assaults of the kind, the engineer concluded. Blog.trendmicro.com published this, May 9, 2013.

» SPAMfighter News - 5/16/2013