On 22/03/13 01:01, Greg Freemyer wrote:
All,
This is a first for me. Per:
http://blogs.csoonline.com/malwarecybercrime/2628/symantecs-research-south-k...
There is a piece of windows malware that looks for mRemote installs on windows. If found it looks for cached "root" credentials. If those are found it uploads a script to wipeout /kernel, /usr, /etc, and /home.
I gather the key vulnerability is that mRemote stores the destination host and credentials in plaintext. (or a easily decoded format).
If anyone has mRemote installed on a windows box, I'm curious how the password is stored. The config info is at:
%UserProfile%\Local Settings\Application Data\Felix_Deimel\mRemote\confCons.xml
fyi: the target of this attack was South Korea, but once malware code like this is made public, it starts to show up in other malware.
Greg
Repost this in offtopic, Greg, as not everybody there reads his HELP list. BC -- Using openSUSE 12.3 x86_64 with KDE 4.10.1 & kernel 3.8.3-1 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org