12/21/2005

Rootkit Install Bittorrent Without You Knowing

Filed under: — By Aviran Mordo @ 11:01 am

The first Rootkit in Instant Messaging land was discovered, and upon more investigation, was traced back to a group operating out of the Middle-East, using the Rootkits to power their Globe-spanning Botnet. Information was passed to the FBI and other Federal Authorities, and the group behind this attack were monitored.

As the investigations into the Middle-East based rootkit group continued, we discovered that they were auto-installing what appeared to be a “tampered with” version of BitTorrent onto infected end-user’s PCs. MD5 signatures did not match up to valid versions of BitTorrent, though as BitTorrent is open source and there are numerous clients out there, it is impossible to say if every version has been looked at.

What we do know, is that on a number of infected machines, they downloaded .AVI files of movies onto the compromised boxes. The slightly odd collection of films were various Disney cartoons and the Mr Bean movie. No more films were installed onto PCs after this - however the technique (and, we must assume) the tampered-with versions of BitTorrent are still at large.

We have not seen this kind of attack initiated before - and for now, you would need to have been infected with the lockx.exe rootkit for the group to channel these movie files (and install the BitTorrent client) onto the PC. Nonetheless, it is clear that this tactic could be employed for far more devious means, and (no doubt) more and more hacking groups will try to manipulate this technology for their own ends in 2006. The potential for trouble with groups such as the RIAA where (what they will see as) pirated material is stored on the compromised PC is clear - will they be interested in whether or not the individual had been hacked at the outset?

Source: spywareguide

 

Leave a Reply

You must have Javascript enabled in order to submit comments.

All fields are optional (except comment).
Some comments may be held for moderation (depends on spam filter) and not show up immediately.
Links will automatically get rel="nofollow" attribute to deter spammers.

Powered by WordPress