Gov't-targeting malware traced to Philippine servers
The Philippines was one of at least 33 countries whose computers were infected by a new malware possibly targeting government and diplomatic facilities, a security vendor said Friday.
A blog post of Trend Micro said some of the 800-plus systems infected by modified versions of the Enfal malware, which was involved in past LURID attacks, were from the Philippines.
"We recently uncovered several attacks that used a modified version of Enfal, which have compromised 874 systems in 33 countries. Enfal was the malware used in the LURID targeted attacks, which we documented last September 2011," it said.
It said the Enfal malware was also linked to attacks going back to 2006 and possibly even 2002.
Enfal variants are known to communicate to specific servers that gives potential attackers access and even full control of infected systems, Trend Micro noted.
An earlier article on Softpedia.com in September 2011 said the LURID attack had victimized "diplomatic missions, government ministries, space-related government agencies and other important companies and research institutions."
Such victims "clearly owned something they didn't want to share," Softpedia.com said.
In the latest attack, Trend Micro investigated five command-and-control (C&C) servers related to these attacks and found that there were victim concentrations in Vietnam, Russia and Mongolia.
These identified targeted victims can be categorized as:
- Government Ministries and Agencies
- Military and Defense contractors
- Nuclear and Energy sectors
- Space and Aviation
- Tibetan community
A list of the top five countries connecting to the five C&C servers include:
First C&C server:
- Vietnam, 394
- Russia, 34
- India, 19
- China, 14
- Bangladesh, 11
- Russia, 85
- Mongolia, 65
- Kazakhstan, 32
- United States, 19
- India, 14
- Mongolia, 41
- Russia, 14
- China, 11
- Philippines, 6
- India, 5
- Mongolia, 42
- Russia, 25
- Philippines, 5
- China, 4
- Brazil, 2
- Russia, 36
- Kazakhstan, 2
- Pakistan, 1
"Note that a single compromised system may connect to more than one server," Trend Micro said.
It added it is notifying compromised parties via appropriate channels. — TJD, GMA News
Talk of the web