Read the full post at darknet.org.uk
Read the full post at darknet.org.uk
Contributor: Roberto Sponchioni
Symantec Security Response has recently come across a new remote access tool (RAT) called Alusinus, which we detect as Backdoor.Alusins. The program was intended for the Spanish speaking underground and the builder itself is rather straightforward with several standard functions, although one function is interesting and is worth noting. The builder allows the RAT to inject itself into a clean process, such as calc.exe, svchost.exe, or notepad.exe in order to improve its chances of evading detection.
Figure 1. Backdoor.Alusins control panel – user name/computer name, AV and firewall information are reported back to attacker
Real time desktop monitoring
Backdoor.Alusins allows an attacker to view the victim’s desktop and monitor user activity in real time.
Figure 2. Desktop view of compromised computer
It can also monitor and capture real time webcam activity.
Figure 3. Webcam session
Backdoor.Alusins also has the ability to monitor keystrokes on a compromised computer in real time in order to steal information, such as login credentials.
Figure 4. Keylogger
The RAT allows an attacker to communicate directly with the victim by using a series of customizable system error messages. This messaging feature has the potential for great mischief or remote harassment. The attacker could, at any time, send annoying messages or popups to the victim while at the same time, observing the user’s reactions through the webcam. It’s possible that whoever created this tool, had online interactive scams in mind when creating this feature.
Figure 5. Custom error messages that can be displayed on compromised computer
Additionally, Backdoor.Alusins allows an attacker to perform the following actions on a compromised computer:
- Monitor processes
- Open Web pages
- Open and close the optical drive
- End sessions
- View installed programs
- View all services
- Download and execute files
- Connect to a remote host to receive commands
- View the Windows registry
- Retrieve the type and version of installed firewall
- Retrieve the type and version of installed antivirus software
- Exfiltrate system information such as computer name, user name, IP address, operating system version, and language
- Retrieve a list of processes (PID and associated process name)
- Send emails using specified user names and passwords
- Steal user names and passwords for Pidgin and Filezilla
- View or end system processes
This threat is a low prevalence remote access tool that is targeted at, but not limited to, the Spanish hacker base. Symantec detects the back door builder and the back door as Backdoor.Alusins.
To stay protected against this remote access tool and other threats it is essential that users keep their antivirus definitions, operating system, and software up-to-date.
Some users of Kim Dotcom's Mega storage system are in a lather about a new browser extension that extracts their master encryption key from computer memory and displays it in a window. While the recently unveiled MEGApwn bookmarklet works as advertised, the general weakness it highlights is common across a variety of similar services, including Apple's iCloud. As such, the uproar in response to the hyperbolically named MEGApwn is largely an overreaction.
"Any warrant or subpoena issued to Mega for your files simply has to ask for your master key, which Mega can retrieve, and prohibit Mega from telling you about it," Koziarski's webpage warned. He went on to cite a case from 2007 in which encrypted e-mail provider Hushmail turned over 12-CDs-worth of e-mails from three account users named in a Canadian court order that targeted illegal steroids distribution. According to Wired, the evidence was most likely decrypted by exploiting a vulnerability that allowed operators to log the users' plain-text password when they accessed the service.