http://www.crn.com/sections/breaking...leId=164904300
By TechWeb News
1:27 PM EDT Thu. Jun. 30, 2005
A new Trojan is using a sophisticated technique to cut off infected
computers from anti-virus and security vendors' update sites, the Finnish
firm F-Secure said Thursday.
It's not uncommon for worms and Trojan horses to sever links to update
sites, but the until recently, said F-Secure, the method has been different:
modifying the Windows HOSTS file to redirect the domains of popular security
vendors to the local host so that the browser returns a blank page or error.
This Trojan, dubbed Fantibag.b by F-Secure (and Fantibag.a by Computer
Associates), however, blocks access by creating packet filtering policies
using the Microsoft RAS packet filtering API. The result: all inbound and
outbound packets between the user's machine and any of the 100+ filtered IP
addresses are then dropped, essentially cutting communication and preventing
updates -- such as new malware signatures -- from being downloaded.
Among the filtered IP addresses are those belonging to Microsoft (including
Windows Update), Computer Associates, F-Secure, McAfee, Sophos, Symantec, and
Trend Micro.
Fantibag.b sports a tenuous connection with the more prevalent Mitglieder
Trojan, said Computer Associates; the former may be downloaded to systems
already compromised by Mitglieder.
Similar Threads
Linear Mode
