[en] Milton FTP BruteForce Panel

Got this malware via a Malvertising : http://malwaredb.malekal.com/index.php?hash=c0b05d5bd8298025d1209ff17611bd6c
The dropper drop a %APPDATA%\svchost.exe file and also a Run Key svchost.exe to load it.

Milton_FTP_bruteforce_malware3
Milton_FTP_bruteforce_malware3
URLs are stored in clear in memory

Milton_FTP_bruteforce_malware

Data are transmitting in clear so a bit lame.
Command upload with a malicious file to be executed in the infected computer.

Milton_FTP_bruteforce_malware4

The panel – The malware is also a FTP Bruteforcer :

Milton_FTP_bruteforce_panel

Milton_FTP_bruteforce_panel2 Milton_FTP_bruteforce_panel3 Milton_FTP_bruteforce_panel4 Milton_FTP_bruteforce_panel5 Milton_FTP_bruteforce_panel6

Thanks to Kafeine for the help 🙂

EDIT January 22 – and now ZeroAccess/Sirefef

Still active via a Clicksor Malvertising with many updates by day.

ZeroAccess_malvertising_clicksor
ZeroAccess_malvertising_clicksor2

With the Spambot, there is now one more file :

ZeroAccess_Rootkit3

It’s a ZeroAccess/Sirefef dropper with the Rootkit component
ZeroAccess_Rootkit

ZeroAccess_Rootkit2

Looks like TDSSKiller is not able to detect it; depends which driver is patched.
For example there is no detection when serial.sys is patched (with mrxsmb it’s OK).
ZeroAccess_Rootkit5
Malwarebyte MBAR is able to detect it.
Also RogueKiller is not able to detect the patch (but probably not for long… 😉 ).
ZeroAccess_Rootkit4

serial.sys patch : http://malwaredb.malekal.com/index.php?hash=745130e58847959543bb8525e4aca0e3

https://www.virustotal.com/file/4342543826fc7d353da85098a314047f1840ee754b0b2cc5cdffb0a6066f9614/analysis/

SHA256: 4342543826fc7d353da85098a314047f1840ee754b0b2cc5cdffb0a6066f9614
File name: 745130e58847959543bb8525e4aca0e3
Detection ratio: 11 / 46
Analysis date: 2013-01-22 16:20:57 UTC ( 20 minutes ago )
AntiVir TR/Crypt.XPACK.Gen 20130122
Avast Win32:Rootkit-gen [Rtk] 20130122
BitDefender Gen:Variant.Barys.536 20130122
Emsisoft Gen:Variant.Barys.536 (B) 20130122
F-Secure Gen:Variant.Barys.536 20130122
GData Gen:Variant.Barys.536 20130122
Ikarus Rootkit.Win32.ZAccess 20130122
K7AntiVirus Virus 20130121
Malwarebytes Trojan.0Access 20130122
MicroWorld-eScan Gen:Variant.Barys.536 20130122
VIPRE Lookslike.Win32.Sirefef.ud (v) 20130122
(Visité 62 fois, 1 visites ce jour)

Vous pouvez aussi lire...

Les Tags : #Windows10 - #Windows - #Tutoriel - #Virus - #Antivirus - #navigateurs WEB - #Securité - #Réseau - #Internet