Friday, November 2, 2007

More On Malware - Trojan.Bayrob

Wow, this is really worrisome, sophisticated, targeted and (I think) effective attack: Trojan.Bayrob Strikes Again! A mix of social engineering and advanced malware.

Posted by Amiran Alavidze

Labels:

6 comments:

Sergey Soldatov said...

If you asked me what can be done, I would answer - digitally sign every page (this for site developer) and check the signature before making decision (this for site user).

November 6, 2007 at 10:58 AM
Amiran Alavidze said...

This won't work - if you ran the trojan, it has full access to your computer with rights of current user.

November 6, 2007 at 11:32 AM
Sergey Soldatov said...

Yes, I know that it's like cat-and-mouse game, but in this case (every page is signed and signature is available on each page, for example, at the bottom) Trojan has to forge signature checker's output. This is difficult if you have a number of means to check signature. Remember, that you can check signature not only with special soft but also by putting it into online web form, etc.

I think my proposal is better then doing nothing and it can reduce the probability of getting circumvented by this Trojan. BTW, you can even get to know that you're infected!

November 6, 2007 at 12:20 PM
Amiran Alavidze said...

Very funny.
1) What if the trojan just removes the signature? What would average user do?
2) Can you imagine manually checking signature for _every_ web page you visit? I won't do that, would you?

It seems like you are trying to propose the solution for a case when your computer is already infected with the trojan. I think in this case it is more efficient to not let the trojan to infect the computer in the first plane.

November 6, 2007 at 12:37 PM
Sergey Soldatov said...

I think in this case it is more efficient to not let the trojan to infect the computer in the first plane

Of course it is! But I'm trying to use layered approach. It's obvious that nobody wants to be infected, and if you know that you're infected you'll try to cure computer first of all. You'll continue use eBay (or what ever) ONLY if you don't know that you're in trouble. So, this Trojan will not work if you realize that you're infected.
If you visit site without signatures and know that they should be, you'll understand that you're infected - and that's only what you need - go and clean yourself first :-)!

November 6, 2007 at 1:06 PM
Sergey Soldatov said...

Here are recommendations how to withstand this:
http://www.symantec.com/enterprise/security_response/weblog/2007/11/how_to_buy_a_fake_jeep_trojanb.html

November 22, 2007 at 6:08 PM

Post a Comment

Subscribe to: Post Comments (Atom)