New Malware Puts Nasty Spin On Remote Control

Georbot Trojan steals remote-desktop configuration files to

Security researchers have discovered malware that scans PCs for remote-access or remote-desktop-configuration files, which indicates installed software that can be used to remotely control the computer. The malware, dubbed Georbot, then steals related credential files and transmits them to attackers, providing direct access to the machines using the built-in remote access tools.
The Georbot malwares capabilities were discovered in January by security researchers at antivirus firm ESET. One of the analysts in our virus laboratories noticed that it was communicating with a domain belonging to the Georgian government [the country in southwestern Asia, not the U.S. state] in order to retrieve updates, according to a
report that ESET released
Wednesday. Notably, the malware connects with that server anytime it fails to connect to its designated command-and-control server.
ESET said that Georbot has been in circulation since at least September 2010, and had been updated at least 1,000 times. It should be also noted that the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and, parallel to their own--still ongoing--monitoring, have cooperated with ESET on this matter, according to the report.
[ Were largely to blame for hacktivists success. Read more:
Anonymous Hackers Helper: IT Security Neglect
. ]
Other antivirus companies besides ESET had also spotted the malware, although none appeared to have taken a close look at what it was doing. Two months ago, however, ESET shared samples of Georbot with security companies, which has led to improved detection rates for the malware. Even so, the malware continues to be active, with ESET saying it saw the most recent variants launched Monday.
ESET said its gained access to the
botnets control panel
, allowing it to count the number of affected machines, their locations, as well as to deduce exactly which types of commands the information-stealing Trojan application can generate. For example, the malware can be used to record audio and video feeds from exploited PCs. ESET planned to detail those findings Wednesday in a meeting with the Georgian government. Until then, Pierre-Marc Bureau, a Montreal-based senior malware researcher at ESET, said in an interview that he wasnt prepared to speculate as to who might be behind the malware, or why certain people might have been targeted.
How common is this type of malware? Its not the first time that Ive seen it happen, but its not as common as stealing credentials for FTP sites or website credentials, said Bureau, largely because those other types of credentials can be
built into worms
and used to launch automated attacks against large numbers of targets. [Georbot] is something that wouldnt be used at a large scale, but in a more targeted attack, he said. If successful, however, such an attack would give an attacker full, remote access to the targeted PC.
By publishing its research into Georbot, however, wont ESET drive whoevers behind the botnet to make it go dark? We hope so, yes, said Bureau. Were continuing to monitor the situation, and we hope that by publishing this paper we help educate users, but if this can help some Internet providers to take on these servers, that will be a good ending.
Concern over attackers exploiting remote-control access tools on PCs has been growing, not just due to malware such as Georbot. Notably,
proof-of-concept exploit code
has already been published for a Remote Desktop Protocol vulnerability patched last week by Microsoft. Meanwhile, Symantec earlier this year
warned pcAnywhere
users to disable their installations, or else protect them with layered security, after discovering that in 2006 attackers had stolen the source code for the application, which they might be able to use to spot unknown, exploitable vulnerabilities.
Beyond hoping that antivirus scanners spot malware such as Georbot, or
exploits targeting specific remote-access tools
, what can businesses do to protect themselves?
I dont think it makes sense for any company to have their remote-desktop services or pcAnywhere exposed directly to the Internet, said Bureau. Multiple security layers should be applied, such as network filters to only allow access from specific locations, VPN for remote workers--or someone who needs to access internal data from an external location in an emergency--and also to secure your endpoints, and ensure theyre patched. These are the standard procedures. I know its easy to enumerate them, but harder to put them into practice.
Secure Sockets Layer isnt perfect, but there are ways to optimize it. The new
Web Encryption That Works
supplement from Dark Reading shows four places to start. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Malware Puts Nasty Spin On Remote Control