The virus uses a legitimate application to hide its presence on the infected computer, as well as to download a backdoor component.
According to the company Symantec, recently during attacks hackers are actively using a malicious program Backdoor.Korplug, experts discovered in March of this year.
Backdoor.Korplug is a common Trojan horse with some interesting differences - the virus uses the Microsoft proxies to disguise its presence on the infected computer, as well as modules to intercept the image on the screen, and keystrokes.
During the attacks, attackers are using the standard scheme, sending the victim an email containing an encrypted ZIP-archive with a password or a document Microsoft Office. Under the guise of these investments hackers hide a Trojan that targets a vulnerability in Microsoft Windows Common Control Library ActiveX component CVE-2012-0158.
After the discovery of a victim in a statement attached file is run an exploit for the vulnerability, and if the vulnerability is not eliminated, the victim's computer is installed backdoor. Experts note that in the past Microsoft products MSCOMCTL.OCX RCE vulnerability persists, and malware can exploit it only for old versions of software.
According to researchers Symantec, the exploitation of the vulnerability is not the worst ability to malware. Her foundation, loaded by the victim's computer, consists of three parts: rc.exe, rc.dll and rc.hlp. noteworthy is the fact that the component is a trusted application rc.exe Windows. However, being in the same directory with a malicious library rc.dll, it downloads the malicious code instead of the legal libraries of the system folder Windows.
More results from Symantec research can be found here.
No comments:
Post a Comment