back to article New mystery Windows-smashing RAT found in corporate network

Malware man Yotam Gottesman has found a somewhat mysterious remote access Trojan on a corporate network that sports highly capable evasion techniques. The Ensilo researcher says the Trojan, dubbed Moker, is not known to antivirus databases and can bypass and disable Windows security measures. Bypassed security systems …

finally...

"A test in our labs revealed that under certain circumstances Moker communicated with a server registered in Montenegro. The Montengro-based server was referred by several other domains registered in African countries. It’s important to note however that these registered domains cannot give an indication of the threat actor’s identity or physical location as it certainly makes sense to think that the threat actor either used compromised servers or purchased dedicated-only servers in other locations to confuse researchers and law enforcement agencies."

Makes a change - shame everyone else just jumps straight on the "it communicated with a server in China, therefore it's clearly the Chinese" idiocy-bandwagon?

13
2
Bronze badge

Re: finally...

"it communicated with a server in China, therefore it's clearly the Chinese"

You would expect such sites to be spread like butter around the world for exactly the reason you say. Criminals and the computers they control should be scattered randomly.

A concentration in one area or another is interesting data. Do we have more criminals? Do we have stupider sysadmins? My politics would insist that neither could be true. But alternative explanations don't seem to accompany reports of incursions.

0
0
Anonymous Coward

In what country was the infected network? What type of industry?

3
0
Silver badge

Sounds like FUD.

The linked-to article goes to great lengths to tell you all the ways in which the attack might destroy your system's integrity & that there's "nothing you can do about it - infection is inevitable". It refuses to give any substantive means of protecting oneself, but ALSO claims that their AV product already protects against the attack. Any AV/Malware/Scumware agent that screams about a new attack, fails to say how to protect against it, and then claims that their own product is the "only way to be safe" smacks of FUD of the scummiest sort.

How does it get on the computer? In two parts: part one is a dropper that later downloads the malicious parts. Ok, but how does the dropper get on? What's the dropper called? What do we need to look for in order to find out if we're infected? What process' do we need to look for to see if it's running on our machine?

It bypasses UAC, EMIT, AV (except their own), and Windows' own security to create a second User Account with RDP privs. What's the Account name? How does it create the account if the SysOp has configured Windows to require something other than the default Admin password to create such accounts? What if the RDP function has been Disabled as a Service? Does the attack turn it back on? What if it needs a password in order to do that?

They tell you to look for unusual malicious traffic on your network as an indicator of the infection, but then fail to say what KIND of traffic. Are we talking specific protocols/ports to specific IP/URL's? Is this something that can be blocked via the Hosts file? By a properly configured router/firewall/nat layer?

The whole thing just smells of FUD. If I'm wrong then I'll admit it, but if I *am* then why haven't these guys given us any means by which to deflect the attack, mitigate it once it's infected, or how to clean it off if it has? Telling us that their AV product already protects us from it without telling us HOW makes me think "BULLSHIT!"

53
0
Bronze badge

Re: Sounds like FUD.

@ Shadow Systems

I totally agree, i guess this is how the researcher earns his money:

scare the world

provide enough detail to scare the purse string holders

ensure / claim your product can fix it ensuring you earn some money.

the same technique is used all over the place, climate research, insurance, health, nutritional supplements, fitness, car emission tests, cleaning products. the list is endless

5
0
Black Helicopters

Re: Sounds like FUD.

To be fair to enSilo they have posted a more detailed analysis of the malware and its characteristics on their blog:

http://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/

4
0
Bronze badge

Re: Sounds like FUD.

It is pretty clear what the solution is: "Only affects Windows".

6
5

Coincidence?

This article appears next to a sidebar picture of Edward Snowden.

2
1
Silver badge

"moker"

means "hammer" in dutch (usually a sledge hammer). I think this malware is a bit too subtle for the name.

0
0
Anonymous Coward

Hey guys...

Microsoft means SECURITY. Didn't you get that memo?

7
4
Silver badge

That memo was lost last millennium already.

There is serious question as to whether it was ever sent.

3
2
Silver badge

found it! marked as spam, sitting in the junk folder! I like looking for Russian brides...

0
0
Silver badge

Laundry list

of everything you'd never want happening all in one package. Ouch

0
0
Anonymous Coward

They probably have to insert this bullet manually anyways

"by creating a new user account and opening a RDP channel to gain remote control of the victim’s device."

Yeah we never audit our Local or Network accounts.... lol

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017