Wednesday, February 6, 2013

Elusive Trojan demonstrates advertising messages in the form of pop-up browser windows

Symantec Corp. has detected a Trojan program that prompts the user to potentially dangerous content, and demonstrates their advertising messages in the form of pop-up browser windows.

In doing so, open the site are not infected and not in any way connected with the contents of the popup window. The program uses the Sender Policy Framework (SPF) to ensure reliable communication between infected computers and servers attacks and bypass standard security features.

For virus it is important to have a reliable connection between their malware, operating on infected computers, and own server, so that a malicious program could receive instructions and updates at any time. However, in the way of interaction between malware and server management can be a gateway or firewall software, or connection may be blocked intrusion prevention system (intrusion prevention system, IPS). So malware authors try to get around these protections. Recently, experts Symantec found a Trojan that uses the technology for this purpose SPF (Sender Policy Framework - Wednesday sender policy framework), originally created to confirm the legitimacy of mail servers to filter spam.

Principle SPF - is sending a request to the DNS-server, and the analysis of its response. If the sender's DNS-server is configured to use SPF, DNS-response contains SPF as a text (. Txt) line.

The idea of ​​malware authors is that the use of SPF domain or IP-address can be obtained through the DNS-query, with the query does not have to come directly from the infected computer. Usually present in the network local caching DNS-server, which sends the request received from the local computer, on its own behalf.

Obviously, the goal of these attacks is to make money by offering to download potentially harmful content and by a set of clicks on advertising links.

No comments:

Post a Comment