On CNET: CNN's 'hologram' was horrendous
BNET Business Network:
BNET
TechRepublic
ZDNet

October 20th, 2006

Scary malware tricks part 1

Posted by Suzi Turner @ 11:57 am

Categories: Spyware/adware news

Tags:

In Focus » See more posts on: scary tech

In keeping with the Halloween season, I’m starting a series on scary malware tricks, similar to last year’s series on spyware tricks. Perhaps my personal focus has changed, but it seems to me spyware tricks are becoming far more devious and destructive. Last year I was testing mostly adware, whereas this year I’m testing more trojans, backdoors, rootkits, etc. Also scary — botnets are reportedly growing in frightening numbers.

CNET’s Joris Evers reported on the recent Virus Bulletin Conference, saying the future of malware is trojan horses. Instant messaging worms are on the rise. Rootkit-based malware is spookiest, and some IM worms are infecting users with rootkits.

Just this week we learned that Apple shipped some iPods with a trojan, (not to mention that Apple tried to push the blame on Microsoft.) In their announcement, Apple used the word virus, but it’s more like a worm with a backdoor trojan component.

The name of the malware process on the infected iPods is RavMone.exe. Symantec has a good description here, calling it W32.Rajump. When I first read the description, the name was Backdoor.Rajump, but either way, its malicious payload is the same. On initial infection, the malware creates RavMone.exe in the Windows directory and puts itself in a Run key in the registry to make sure it starts with every Windows boot-up. Symantec says it open a TCP port and immediately tries to phone home to the following URLs:

  • [http://]natrocket.kmip.net:5288/ret[REMOVED]
  • [http://]natrocket.kmip.net:5288/ies[REMOVED]
  • [http://]natrocket.9966.org:5288/ies[REMOVED]
  • [http://]scipaper.kmip.net:80/ies[REMOVED]

    • What happens next is anyone’s guess, but with a backdoor, it can be ugly. Both domains shown appear to be Chinese, as seen here and here. There has been some speculation that perhaps the infected iPods were shipped from a “contract manufacturer”, using Apple’s words, in China, but I’ve not seen any confirmation of that. If anyone has a sample of RavMone.exe, I’d be interested in getting it to test. My ZDNet bio has a contact form here.

    Another example of very scary technology is the Gromozon rootkit, aka Trojan.LinkOptimizer. I’ll write about Gromozon in the next article in the series.

    • Talkback
    • Most Recent of 3 Talkback(s)
    malware protect
    virus. Trojans, worms, spyware, and adware all depend on your computer staying up and running and they send your privacy informations to your enemies hackers and peoples who wants to get into to you.Y... (Read the rest)
    Posted by: ptzkiller Posted on: 06/11/08 You are currently: Logged In | Log out
    Uncomplicate your computing experience ralphrides   | 10/27/06
    RE: Scary malware tricks part 1 dd_forums   | 03/28/08
    malware protect ptzkiller   | 06/11/08

    What do you think?

    No Trackbacks Yet

    The URI to TrackBack this entry is:
    http://blogs.zdnet.com/Spyware/wp-trackback.php?p=859

    advertisement

    Recent Entries

    Top Rated

      advertisement

      Archives

      Favorite Links

      ZDNet Blogs

      Fusion

      advertisement
      Click Here