Taxonomy Archive

Trojan

  • 9 months, 3 weeks ago

    How To Disabled and Removed Microsoft Windows MobSync - Trojan RootKit

    Posted by Nick B

    mobsync.exeMobSync is a Microsoft Mobile Synchronization Manager available in Win 2000 & Windows XP

    Excerpt from Microsoft KB 314512 Articles (2002)

    The Windows XP Synchronization Manager helps ensure that the files and folders on your mobile device and your desktop computer stay synchronized. With Synchronization Manager, you can be sure you are always working with the latest copy of your data, online or offline.

    Technically MobSync is part of Windows Memory Management, its prefetch (type of cache) your External Device Contents (Mobile PC, Windows Embed XPE, PDA,database etc .. ) thus helps speed up the Windows booting process by shortening the time external device programs takes to start up.

    MobSync Issue

    MobSync is registered to run on logon but the process is hidden on others ‘Scans Tools’ like Autoruns.exe & Process.exe (SysInternal).

    QuickFact:

    • MobSync.exe can record inputs.
    • Its hide itself from monitor applications.

    Apparently because of its transparencies nature to hide behind windows systems some hackers decide to reverse engineer this programs as a Trojan Rootkit. [...]

    Tags:

    Filed under Security & vulnerability.

    • December 24, 2007 at 8:07 pm
    • December 29, 2007 at 12:39 am
    • 0.3
    • url
  • 9 months, 3 weeks ago

    Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

    Posted by Noah Ark

    cat ownedFor this past three days this blog is suffering DOS attack . The attack is still alive now I don’t think they will leave yet.

    I cant banned this bot directly as they were sending forge packet (packet spoofing) as googlebot http://www.whois-search.com/whois/64.233.166.136. Im still looking for the right ISP.

    OrgName:    Google Inc.
OrgID:      GOGL
Address:    1600 Amphitheatre Parkway
City:       Mountain View
StateProv:  CA
PostalCode: 94043
Country:    US

    At the time being I blocked all remote streams from their random host *.com and “perl bot signature” but blocking will not stop them from hammering this site. I’ll be sending 503 (Service Unavailable) on certain request so if you are having problem accessing this site please check back later.

    Type of injections

    There is lot uri parameter in my logs (I will disabled server logs - limit resources) they probably has a large inventories check-lists of known CMS vulnerabilities. I can only confirm that its a blackhat seo spams bot as they request uri include the typical order.php page.

    Tags:

    Filed under Security & injection.

    • December 21, 2007 at 10:48 pm
    • February 16, 2008 at 3:05 am
    • 0.3
    • url
MySQL query error