A new Trojan is using a sophisticated technique to cut off infected computers from anti-virus and security vendors' update sites, the Finnish firm F-Secure said Thursday.
It's not uncommon for worms and Trojan horses to sever links to update sites, but the until recently, said F-Secure, the method has been different: modifying the Windows HOSTS file to redirect the domains of popular security vendors to the local host so that the browser returns a blank page or error.
This Trojan, dubbed Fantibag.b by F-Secure (and Fantibag.a by Computer Associates), however, blocks access by creating packet filtering policies using the Microsoft RAS packet filtering API. The result: all inbound and outbound packets between the user's machine and any of the 100+ filtered IP addresses are then dropped, essentially cutting communication and preventing updates -- such as new malware signatures -- from being downloaded.
Among the filtered IP addresses are those belonging to Microsoft (including Windows Update), Computer Associates, F-Secure, McAfee, Sophos, Symantec, and Trend Micro.
Fantibag.b sports a tenuous connection with the more prevalent Mitglieder Trojan, said Computer Associates; the former may be downloaded to systems already compromised by Mitglieder.