« A New Business Model? | Main | Honeyclient Talk Today »
June 12, 2005
Cerberus-like Attack for Botnet Formation
I thought that this article from eWeek highlighted only the beginning of what we will start to see with increasing frequency - multi-staged attacks. I just called this attack 'Cerberus-like' because it is a three step attack.
Basically, the first trojan (Win32.Glieder.AK) downloads malware from a hard-coded list of URLs, and disables various security measures such as the host firewall. The second trojan (Win32.Fantibag.A) ensures that anti-virus and Windows Update is disabled. The third trojan (Win32.Mitglieder.CT) actually puts the host under control of the attacker, who will presumably build large botnets with these hosts.
Although this is a complicated attack, it is clever. For one thing, it will make identification of the source of attacks more difficult. Also, according to Symantec's information on the first trojan in the three-staged attack, this trojan may be emailed out as part of a Beagle worm variant, so is this really a four-staged attack?
Whether honeyclients will be useful for studying this attack will depend on whether the first trojan is exploiting a vulnerability in the Windows server, or if it's exploiting a vulnerability in a client, such as IE. For the first case, honeypots would probably be more useful, for the latter, honeyclients.
Posted by Kathy at June 12, 2005 02:00 PM