Backdoor Trojan uses "magic code" to contact C&C server
Posted on 18.04.2013
Researchers from security firm Seculert have unearthed a curious piece of backdoor-opening malware.

Once the malware gets installed on a computer and run, it first contacts the server via the HTTP protocol. After that first time, the C&C server instructs it to start communicating with the same IP address and port, but to use a custom-made protocol and to start every communication with (literally) "some magic code":


The malware is instructed to create a backdoor account, giving the attackers permanent access to the machine. Still, they currently don't seem to misuse it.

"As the malware is capable of setting up a backdoor, stealing information, and injecting HTML into the browser, we believe that the current phase of the attack is to monitor the activities of their targeted entities," Seculert's Aviv Raff pointed out, adding that the fact that the malware is capable of downloading and executing additional malicious files might indicate that this is just the first phase of a much broader attack.

It's also interesting to note that the malware sample they first detected has been on the infected computer for nearly a year, and that most (78 percent) of the several thousands of different entities that they discovered having been targeted since are overwhelmingly located in the UK.









Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //