New Trojan Filtering Packets To Isolate Users

A new Trojan is using a sophisticated technique to cut off infected computers from anti-virus and security vendors' update sites, the Finnish firm F-Secure says.



A new Trojan is using a sophisticated technique to cut off infected computers from anti-virus and security vendors' update sites, the Finnish firm F-Secure said Thursday.

It's not uncommon for worms and Trojan horses to sever links to update sites, but the until recently, said F-Secure, the method has been different: modifying the Windows HOSTS file to redirect the domains of popular security vendors to the local host so that the browser returns a blank page or error.

This Trojan, dubbed Fantibag.b by F-Secure (and Fantibag.a by Computer Associates), however, blocks access by creating packet filtering policies using the Microsoft RAS packet filtering API. The result: all inbound and outbound packets between the user's machine and any of the 100+ filtered IP addresses are then dropped, essentially cutting communication and preventing updates -- such as new malware signatures -- from being downloaded.

Among the filtered IP addresses are those belonging to Microsoft (including Windows Update), Computer Associates, F-Secure, McAfee, Sophos, Symantec, and Trend Micro.

Fantibag.b sports a tenuous connection with the more prevalent Mitglieder Trojan, said Computer Associates; the former may be downloaded to systems already compromised by Mitglieder.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service