[en] Milton FTP BruteForce Panel

Got this malware via a Malvertising : http://malwaredb.malekal.com/index.php?hash=c0b05d5bd8298025d1209ff17611bd6c
The dropper drop a %APPDATA%\svchost.exe file and also a Run Key svchost.exe to load it.

Milton_FTP_bruteforce_malware3
Milton_FTP_bruteforce_malware3
URLs are stored in clear in memory

Milton_FTP_bruteforce_malware

Data are transmitting in clear so a bit lame.
Command upload with a malicious file to be executed in the infected computer.

Milton_FTP_bruteforce_malware4

The panel – The malware is also a FTP Bruteforcer :

Milton_FTP_bruteforce_panel

Milton_FTP_bruteforce_panel2 Milton_FTP_bruteforce_panel3 Milton_FTP_bruteforce_panel4 Milton_FTP_bruteforce_panel5 Milton_FTP_bruteforce_panel6

Thanks to Kafeine for the help 🙂

EDIT January 22 – and now ZeroAccess/Sirefef

Still active via a Clicksor Malvertising with many updates by day.

ZeroAccess_malvertising_clicksor
ZeroAccess_malvertising_clicksor2

With the Spambot, there is now one more file :

ZeroAccess_Rootkit3

It’s a ZeroAccess/Sirefef dropper with the Rootkit component
ZeroAccess_Rootkit

ZeroAccess_Rootkit2

Looks like TDSSKiller is not able to detect it; depends which driver is patched.
For example there is no detection when serial.sys is patched (with mrxsmb it’s OK).
ZeroAccess_Rootkit5
Malwarebyte MBAR is able to detect it.
Also RogueKiller is not able to detect the patch (but probably not for long… 😉 ).
ZeroAccess_Rootkit4

serial.sys patch : http://malwaredb.malekal.com/index.php?hash=745130e58847959543bb8525e4aca0e3

https://www.virustotal.com/file/4342543826fc7d353da85098a314047f1840ee754b0b2cc5cdffb0a6066f9614/analysis/

SHA256: 4342543826fc7d353da85098a314047f1840ee754b0b2cc5cdffb0a6066f9614
File name: 745130e58847959543bb8525e4aca0e3
Detection ratio: 11 / 46
Analysis date: 2013-01-22 16:20:57 UTC ( 20 minutes ago )
AntiVir TR/Crypt.XPACK.Gen 20130122
Avast Win32:Rootkit-gen [Rtk] 20130122
BitDefender Gen:Variant.Barys.536 20130122
Emsisoft Gen:Variant.Barys.536 (B) 20130122
F-Secure Gen:Variant.Barys.536 20130122
GData Gen:Variant.Barys.536 20130122
Ikarus Rootkit.Win32.ZAccess 20130122
K7AntiVirus Virus 20130121
Malwarebytes Trojan.0Access 20130122
MicroWorld-eScan Gen:Variant.Barys.536 20130122
VIPRE Lookslike.Win32.Sirefef.ud (v) 20130122

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 21 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *