Well... Maybe they did contain some other files. Here's the link for the article : http://bit.ly/amk2EE.
They are saying that :
"McAfee included four
filenames in its original Aurora research that it now says are
associated with the Vietnamese botnet: jucheck.exe, zf32.dll,
AdobeUpdateManager.exe
and msconfig32.sys."
But are they not related? Well.. you just need to believe them. Don't you?
I don't know about the rest of the files, but I know about msconfig32.sys. It was really really hard to get my hands on this one. If it was a botnet regular file I would have gotten it much faster.
And when I searched for it, I did find some malware named the same. but it wasn't the binary :).
Also, I have another proof that relates msconfig32.sys to other file, which means both used same method in the attack. I cannot disclose any more details now.
msconfig32.sys is a tricky name, and that's what got McAfee's eyes wrong (in my opinion). Well, There were viruses with the same name (which was a real driver... BTW) + viruses with the name of msconfig32.exe - They were all a tricky name which wanted to sound like a system name : msconfig.exe (which is also the command to disable start-up programs [from registry] or see services which have no Microsoft's signature on it). It's like calling a trojan : svchost32.exe.
It's a bad name for a trojan. But that's what used in the attack. So, saying that it was a regular botnet's file, would be just weird (wait for my future post :) ). Yes, of course some malware used the name msconfig32.sys (as a real driver this time) sometime in history, it doesn't mean they are related.
I cannot post anymore details currently, about my new leads, so I better shut up now.
Cheers!
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment