Last week, we had reports of a number of web sites being hacked and used to distribute malicious software. The web sites are spread through various countries including Brazil, Pakistan, the United Kingdom, France, and of course the United States.
At the moment, it is hard to tell how the servers were compromised. All of them seem to be running a variant of Linux with the well known Apache web server. It is possible, although unlikely, that an unknown security vulnerability has been exploited to gain control to these servers. It is more likely that a configuration error such as a weak password allowed the attackers to access the servers.
The software that is downloaded and executed on the victim’s machine is detected as Win32/TrojanDropper.Agen by NOD32, some other vendors label it as Trojan.Win32.Agent.cyt. Once it gets executed, this Trojan copies itself to %system32%regscan.exe. To prevent analysis, the file has virtual machine detection, preventing it from executing inside a virtual environment. The Trojan communicates with a command and control server located in Florida. The command and control server uses the HTTP protocol and seems to be hosted on a legitimate server that has also been hacked.
As of today, the attacks are still ongoing. We strongly recommend applying security patches and using an up to date antivirus to be protected against this type of attack.
Author Pierre-Marc Bureau, ESET