427 Botnet fm qxd

outgoing TCP connection and/or DNS requests as evidence of such an
update request. If you are lucky, the reloading of code or data is done via
HTTP or FTP. In that case the report would contain outputs like this:

remoteport="80" protocol="HTTP" connectionestablished="1" socket="2004">




remoteport="80" protocol="HTTP" connectionestablished="1" socket="2004">




remoteport="80" protocol="HTTP" connectionestablished="1" socket="2040">





As you can see, there are several .exe files downloaded from the same host,
194.187.45.55. In fact, for this particular malware (NOD32 calls it
Win32/TrojanDownloader.Adload.NAN Trojaner
), a total of 10 (!) different .exe
files are reloaded. After the malware has downloaded them to the local disk,
they are executed:
showwindow="SW_MAXIMIZE" apifunction="CreateProcessW" successful="1"/>
showwindow="SW_MAXIMIZE" apifunction="CreateProcessW" successful="1"/>
showwindow="SW_MAXIMIZE" apifunction="CreateProcessW" successful="1"/>
Sometimes the malware does not use one of the standard Web protocols
to reload data.Then it is harder to determine the fact that something exe-
cutable or configuration data is retrieved. Again, the CWSandbox feature to
log all communication data will help in this case. In any event, you should use
the option 
STORE_CREATED_FILES
, by which you will get a copy of

Download 6,98 Mb.

Do'stlaringiz bilan baham: