New mystery Windows-smashing RAT found in corporate network Malware man Yotam Gottesman has found a somewhat mysterious remote access Trojan on a corporate network that sports highly capable evasion techniques. The Ensilo researcher says the Trojan, dubbed Moker, is not known to antivirus databases and can bypass and disable Windows security measures. Bypassed security systems …
"A test in our labs revealed that under certain circumstances Moker communicated with a server registered in Montenegro. The Montengro-based server was referred by several other domains registered in African countries. It’s important to note however that these registered domains cannot give an indication of the threat actor’s identity or physical location as it certainly makes sense to think that the threat actor either used compromised servers or purchased dedicated-only servers in other locations to confuse researchers and law enforcement agencies."
Makes a change - shame everyone else just jumps straight on the "it communicated with a server in China, therefore it's clearly the Chinese" idiocy-bandwagon?
"it communicated with a server in China, therefore it's clearly the Chinese"
You would expect such sites to be spread like butter around the world for exactly the reason you say. Criminals and the computers they control should be scattered randomly.
A concentration in one area or another is interesting data. Do we have more criminals? Do we have stupider sysadmins? My politics would insist that neither could be true. But alternative explanations don't seem to accompany reports of incursions.
The linked-to article goes to great lengths to tell you all the ways in which the attack might destroy your system's integrity & that there's "nothing you can do about it - infection is inevitable". It refuses to give any substantive means of protecting oneself, but ALSO claims that their AV product already protects against the attack. Any AV/Malware/Scumware agent that screams about a new attack, fails to say how to protect against it, and then claims that their own product is the "only way to be safe" smacks of FUD of the scummiest sort.
How does it get on the computer? In two parts: part one is a dropper that later downloads the malicious parts. Ok, but how does the dropper get on? What's the dropper called? What do we need to look for in order to find out if we're infected? What process' do we need to look for to see if it's running on our machine?
It bypasses UAC, EMIT, AV (except their own), and Windows' own security to create a second User Account with RDP privs. What's the Account name? How does it create the account if the SysOp has configured Windows to require something other than the default Admin password to create such accounts? What if the RDP function has been Disabled as a Service? Does the attack turn it back on? What if it needs a password in order to do that?
They tell you to look for unusual malicious traffic on your network as an indicator of the infection, but then fail to say what KIND of traffic. Are we talking specific protocols/ports to specific IP/URL's? Is this something that can be blocked via the Hosts file? By a properly configured router/firewall/nat layer?
The whole thing just smells of FUD. If I'm wrong then I'll admit it, but if I *am* then why haven't these guys given us any means by which to deflect the attack, mitigate it once it's infected, or how to clean it off if it has? Telling us that their AV product already protects us from it without telling us HOW makes me think "BULLSHIT!"
@ Shadow Systems
I totally agree, i guess this is how the researcher earns his money:
scare the world
provide enough detail to scare the purse string holders
ensure / claim your product can fix it ensuring you earn some money.
the same technique is used all over the place, climate research, insurance, health, nutritional supplements, fitness, car emission tests, cleaning products. the list is endless
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
