Attacker mocks victims, says Symantec

Stephen Withers
Monday, 26 February 2007 09:50

Your IT - Home IT

An attacker posing as a representative of a hosting or collocation company is trying to fool people into installing a remote administration tool on their servers, according to Symantec's Security Response Weblog.

Presented as "a security guard script" provided as part of the maintenance package, it is an encoded version of the NSTView admin program.

The script also sends a notification email to the attacker containing the IP address of the system (in encoded form) it is running on. Adding insult to injury, the script identifies the sender as "L4M3r" ("lamer").

Presumably as a precaution against the destination email address being shut down, the script also opens an HTML page which contains a hidden reference to a certain server. By checking the logs of that system, the attacker can identify sites that have requested pages from that server and that must therefore be running the script.

In other news, Symantec has identified a Trojan dubbed Pirlames masquerading as a Japanese screensaver and spreading via the Winny filesharing network. It overwrites files that have .TXT, .JPG, .ZIP extensions or no extension at all with manga-style images.

According to Symantec, this Trojan was created with the P2P-Destroyer Pro tool.