PhotoMiner features a multi-stage infection mechanism There are currently two different versions of PhotoMiner spreading over the Internet, but the company says that both function in the same way, with tiny differences. The infection mechanism is a bit complex. The first stage requires the malware coder to find an infected FTP server to unleash his worm. This is easy since there are over 20.3 million servers with open FTP ports connected to the Internet, and GhostShell has shown Softpedia how easy is to hack them.Īfter PhotoWorm reaches an FTP server, it will scan for public HTML folders, usually used for hosting Web pages. The worm alters the source code of these pages in order to deliver another copy of itself. #Photominer worm spreads via insecure ftp servers code PhotoMiner achieves this by embedding an iframe tag inside each page, with the source attribute set to "Photo.scr", hence the malware's name of Photo-Miner.Īt this point, the iframe prompts the user with a popup, asking if he wants to run the file. PhotoMiner uses 2 processes to make sure it remains on infected hosts Running the file infects him with the PhotoMiner worm. PhotoMiner will now start two Windows processes. One is for mining Monero crypto-currency, and the second is for spreading itself to nearby computers. If antivirus products detect the worm, they clean out only the worm process, while the Monero mining process remains on the infected computer after previously gaining boot persistence. The worm process uses Windows tools such as ARP and NET VIEW to scan the local network for other computers, including other FTP servers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |