Computer Associates warns of massive botnet attack

Sunday, June 5, 2005

Computer Associates are warning of a current three pronged, co-ordinated malware attack on computers that are using Microsoft Windows and are connected to the Internet. The attack involves the use of three different Trojan horses called Glieder, Fantibag and Mitglieder. The goal is to create a botnet consisting of a large number of compromised computers. Access to this group of compromised machines will then be available on a black market, at prices as low as five cents per machine.

  • Win32.Glieder.AK: The first of the three, this Trojan horse attempts to de-activate an extensive list of security/antivirus related processes and services running on the target computer. It also attempts to lower security settings in order to facilitate easier access for subsequent Trojan horses.
  • Fantibag: This second Trojan horse creates filters on the target machine in order to prevent access to a large number of antivirus companies' Web sites. Thus, not only is the target computer now well and truly compromised, but an average Windows user will be completely unable to remove these violations of their system.
  • Mitgleider: Once the first two Trojan horses have largely eliminated any possibility that the target will be able to defend itself, this one finishes the job. It opens port 38884 and configures it to act as a SOCKS 4 proxy, but the compromised system can now also be commanded to do the following:-
    • Changing the backdoor port number
    • Updating the trojan
    • Downloading and execute files
    • Uninstalling the trojan
    • Initiating an SMTP server on TCP port 25, which can be used to relay spam.
    • Executing files on the infected computer
    • Downloading and executing files via an URL

It should be noted that these Trojan horses only affect the Microsoft Windows family of operating systems. No other operating systems (such as Linux and Apple's OS X) are vulnerable. In order to prevent infection, Windows users are advised to ensure that they have the latest operating system patches from Microsoft, that their chosen antivirus software is up to date, and that they are using firewall software where appropriate.