 Fortch
Da Mechanic
Posts: 3688
Age: 40
Loc: Redondo Beach, CA
Reg: Saturday June 29th 2002
|
Tuesday December 11th 2007 12:10 PM - Post#97483
eWeek:
- This is how Finjan describes the workflow for Trojan 2.0:
1. The user's PC is infected with a Trojan 2.0 using known infection methods, such as iFrame or code obfuscation.
2. Attacker uses a private Command & Control server to relay commands to the Trojan infected PCs. For instance, collect passwords from user PC, collect financial reports or track online banking activities.
3. Command and Control 2.0 formats the data for the Trojan-infected PCs into a legitimate post to a public blog server.
4. Independently, a Web-based RSS aggregator service (such as Google Mash-up editor or Yahoo Pipes) notices the new post on the blog it's supposed to monitor, and updates itself.
5. Trojan-infected PCs are configured to grab the headlines of the public RSS feed generated by the aggregator, as customized by the attacker. Once the Trojans "see" the new post through the RSS aggregator, they parse the data in it, and execute according to the commands originally sent by the attacker.
6. The collected data is then posted back on Web 2.0 sites (for example, a blog service, MySpace.com or Googlepages) as a legitimate content. The Web 2.0 site is acting as temporary storage for the stolen user data until collected by the criminal and deleted.
| "...passwords are a lot like underwear, you don't leave them laying around or hanging on the corner of your computer monitor, you change them frequently, you don't swap them with your friends or strangers and get some new ones on a regular basis" --Lanwizard |
|
