- #Photominer worm spreads via insecure ftp servers archive
- #Photominer worm spreads via insecure ftp servers full
- #Photominer worm spreads via insecure ftp servers code
- #Photominer worm spreads via insecure ftp servers download
#Photominer worm spreads via insecure ftp servers archive
How does WORM_PIZZER.SM spread across password-protected archive files? Though protected by passwords, the two sample files Two clean sample files were dragged into the archive as well: and caloco.exe.
For this test, the dropped malware holo.exe wasn’t password-protected and was easily dragged into the archive file using the a specificĬommand line. To further understand the nature of WORM_PIZZER.SM, an infection scenario was replicated by creating a password-protected archive filed where the worm
#Photominer worm spreads via insecure ftp servers download
The worm can also download and execute malicious files WORM_PIZZER.SM can drop copies of itself in both unprotected and password-protected archive files. What does WORM_PIZZER.SM do to an infected system? Reminiscent of WORM_PROLACO, this worm can spread across password-protected archiveįiles and bypass archive files’ built-in security. Attackers currently using their botnet for mining may in the future use stolen credentials and infected machines to move laterally inside the data center and compromise the most valuable assets of the organization," the security firm also warned.A new malware detected as WORM_PIZZER.SM has recently been spotted creating copies of itself in archive files, specifically in. "A non-secure service facing the internet, such as an unprotected FTP server, is one of the most common ways attackers use to first penetrate an organization. By creating an infection that is hard to disrupt, the writers of PhotoMiner have created a botnet that is undoubtedly here to stay," the GuardiCore team explains. "Infecting websites through unprotected FTP servers is a classic attack that seems to be gaining popularity once again. These accounts are stored inside configuration file received from a C&C server. On infected hosts, PhotoMiner uses different accounts from the service to mine for Monero crypto-currency.
#Photominer worm spreads via insecure ftp servers full
PhotoMiner uses brute-force attacks over SMB to infiltrate other machines, and then the WMI scripting utility to copy itself on the vulnerable workstations.Īt this point, the infection process comes full circle, and PhotoMiner will look for other computers or for public HTML folders to spread again. The worm process uses Windows tools such as ARP and NET VIEW to scan the local network for other computers, including other FTP servers. If antivirus products detect the worm, they clean out only the worm process, while the Monero mining process remains on the infected computer after previously gaining boot persistence. One is for mining Monero crypto-currency, and the second is for spreading itself to nearby computers. PhotoMiner will now start two Windows processes. PhotoMiner uses 2 processes to make sure it remains on infected hosts Running the file infects him with the PhotoMiner worm. PhotoMiner achieves this by embedding an iframe tag inside each page, with the source attribute set to "Photo.scr", hence the malware's name of Photo-Miner.Īt this point, the iframe prompts the user with a popup, asking if he wants to run the file.
#Photominer worm spreads via insecure ftp servers code
The worm alters the source code of these pages in order to deliver another copy of itself. This is easy since there are over 20.3 million servers with open FTP ports connected to the Internet, and GhostShell has shown Softpedia how easy is to hack them.Īfter PhotoWorm reaches an FTP server, it will scan for public HTML folders, usually used for hosting Web pages. The first stage requires the malware coder to find an infected FTP server to unleash his worm. The infection mechanism is a bit complex. PhotoMiner features a multi-stage infection mechanism There are currently two different versions of PhotoMiner spreading over the Internet, but the company says that both function in the same way, with tiny differences. In the meantime, the company found that the worm was created in early December 2015, and received several updates after its January write-up. Security firm GuardiCore discovered the worm this past January when it also published a quick summary of its abilities. PhotoMiner is a worm that propagates with the help of vulnerable FTP servers, infects public Web pages, spreads to Windows computers and sets up a mining process for the Monero crypto-currency. Crooks use worm to mine for the Monero crypto-currency
0 kommentar(er)
