Home > ParetoLogic Blogs > Malware Diaries > Spa site gets `rootkited`
Reply
 
Thread Tools Display Modes
  #1  
Old 09-15-2009, 06:06 PM
Michael Michael is offline
Administrator
Join Date: May 2007
Posts: 313
Default Spa site gets `rootkited`
I came across this spa's website today, which is hosting a rootkit.

The full URL is: www.landmarkspa.com/pdf/wq.exe

root1

The file itself came up as clean as soap on VirusTotal:

VT0

Upon running it though, the file immediately deleted itself and created a Service.

rootkit

That service, or rootkit, is detected by a few AV Vendors:

vtrootkit

Playing with the new (free) version of McAfee FileInsight:

padding

The screenshot below shows the rootkit name and... a lot of padding... an easy way to bypass signature detection.

paddingzoom

Jerome Segura

Malware ID: f535708ce6190267e16ee8e22d5d4917.zip
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


Terms of Use