83,427 machines infected by Necurs Rootkit in November

Posted by Rhea Ahuja on December 11, 2012 · 3 Comments 

The common thing among rootkits is that they can hide themselves from detection. Rootkit stops security applications from functioning and hence cannot be detected.

It is also capable of downloading additional malware from outside.

Microsoft list this as Trojan:Win32/Necurs.

 Now this is how  the attackers  maintain a remote access to a machine, and this way  monitor activity, send spam or install scareware.

Trojan:Win32/Necurs is a family of malware.  It works together to download additional malware and enables backdoor access and control of your computer. The malware can be installed on its own or alongside rogue security software, such as Rogue:Win32/Winwebsec.

                                                                              

The malware downloads itself into the folder “%windir%\Installer\“, where is a unique number that identifies your computer, for example “%windir%\Installer\{df3d9e18-342c-8c07-8dab-13e76d8b4322}”.

 Some variants of   ” Trojan:Win32/Necurs “”  can inject code into all running processes. The injected code is known as a “dead byte”

certain system processes will cause your computer to restart if they are injected with this code.

Strong anti-security features are provided by the Necurs driver. The driver has a very clear goal: protecting every Necurs component from being removed.

This example shows that malicious software is growing more sophisticated and is starting to include various components that serve individual purposes. These threats may target various versions of operating systems or even different software platforms

Filed under Security News · Tagged with Installation (computer programs), Linux, Malware, Microsoft, Necurs, Remote access, Rogue security software, Rootkit