Tuesday, September 10, 2013

New backdoor intercepts input data from the keyboard

The company "Dr. Web" warned of spreading malware BackDoor.Saker.1, which bypassing mechanism to control user accounts. The main function of BackDoor.Saker.1 - execution command coming from intruders, and most importantly, to intercept the keys pressed by the user ( keylogging ) .

Infiltrating for becoming infected computer , the Trojan executes the file temp.exe, designed to circumvent the system UAC (User Accounts Control). This file extracts the resources of the library for bypass UAC and incorporated into the process explorer.exe. Thereafter the library is stored in a system folder. Then when you start the system utility Sysprep, the library is launching a malicious application ps.exe, detected by Dr.Web anti-virus software as Trojan.MulDrop4.61259. In turn, this saves the file to another folder, another library which registers in the Windows registry as a service with the name "Net Security Service" and the following description : "keep watch on system security and configuration.if this services is stopped, protoected content might not be down loaded to the device". It was in the library and the main focus malicious backdoor functionality.

After the successful launch BackDoor.Saker.1 collects and transmits information about the attackers becoming infected computer, including a version of Windows, processor speed , amount of physical RAM, the machine name, user name, serial number of the hard disk. Next, the Trojan creates a file system folder that records the user presses a key on the computer keyboard. After this backdoor waiting for a response from the remote server, which may include the following commands: reboot, shut down, samoudalenie , start a separate thread to execute commands via shell or to run your own file manager that has the ability to upload files from a user machine, download files on the network, create folders, delete, move files and run them.

No comments:

Post a Comment