By Eduard Kovacs on October 31, 2014
Researchers have uncovered a remote administration tool (RAT) that uses a novel technique to stay persistent on infected systems and avoid detection.
The RAT, dubbed "COMpfun," has been analyzed by experts from G DATA Software's SecurityLabs. When it comes to functionality, the malware is not out of the ordinary. It can be used to log keystrokes, take screenshots, download and upload files, execute code, and for other specific tasks.
The threat can run on both 32 and 64-bit versions of Microsoft Windows (up to Windows 😎, and it relies on HTTPS and RSA encryption to communicate with its command and control (C&C) server.
What makes COMpfun interesting is the fact that it injects itself into the processes running on compromised systems by hijacking legitimate Component Object Model (COM) objects.
COM allows developers to manipulate and control the objects of other applications. Each of these objects has a unique identifier called CLSID.
When it's installed on a system, the RAT creates two files, after which it creates two registry entries to define COM objects with the CLSIDs {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} and {BCDE0395-E52F-467C-8E3D-C4579291692E}. These IDs are already assigned to two Microsoft libraries that are used by several applications, including the Web browser. However, by defining objects with the same CLSIDs, the originals are replaced with the new ones.
Full Article
Be the first to reply!
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.