новости с передовой
Mar. 5th, 2010 05:31 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
109The most dangerous capability of this botnet is that arbitrary executable programs are downloaded and executed on command. This allows the bot master to infinitely extend the functionality of the malicious software beyond what is implemented during the initial compromise. In addition, the malware can be updated on command to a new variant of the binary, effectively reducing or eliminating the detection rates of traditional host detection methods.
читается как детектив, натурально, особенно про mutations и anti-debugging measures. conclusion тоже впечатляет:
A signature may soon come out for this code from your AV vendor, but by that time, a new piece of code may be written and downloaded that bypasses AV yet again.
Well, how do I stop this thing?
As IPs, ports, and domains involved in the command structure of Mariposa are changing, it becomes difficult for security administrators to mitigate the capabilities of this botnet. At this time we suggest an approach of tracking down the compromised systems rather than establish rules to block the communication to the botnet controller.
UDP connections are still actively used for Mariposa communication, so observance of your network activity is the best place to start. If one system is frequently sending data across the outbound UDP protocol, regardless of port, mark it as suspicious and consider removing it from the network. Your own remediation technique is up to you but reimaging, though time consuming, is the only confident way to cleanse a compromised
machine.
алсо: многотысячник ебигдан, недавно перегнавший лебедева по рейтингу популярности, очевидно, стратегически постит ссылки на заражённые сайты. встаёт вопрос, не помог ли ботнет поднятию рейтинга.
читается как детектив, натурально, особенно про mutations и anti-debugging measures. conclusion тоже впечатляет:
A signature may soon come out for this code from your AV vendor, but by that time, a new piece of code may be written and downloaded that bypasses AV yet again.
Well, how do I stop this thing?
As IPs, ports, and domains involved in the command structure of Mariposa are changing, it becomes difficult for security administrators to mitigate the capabilities of this botnet. At this time we suggest an approach of tracking down the compromised systems rather than establish rules to block the communication to the botnet controller.
UDP connections are still actively used for Mariposa communication, so observance of your network activity is the best place to start. If one system is frequently sending data across the outbound UDP protocol, regardless of port, mark it as suspicious and consider removing it from the network. Your own remediation technique is up to you but reimaging, though time consuming, is the only confident way to cleanse a compromised
machine.
алсо: многотысячник ебигдан, недавно перегнавший лебедева по рейтингу популярности, очевидно, стратегически постит ссылки на заражённые сайты. встаёт вопрос, не помог ли ботнет поднятию рейтинга.