26 December 2010

Better lockup your ftp.exe

The trend of trojan now is to download chain of actual virus (many directed to .cn domain) initiated by short innocent-look batch file then bang a fresh trojan break lose and your AV just unable to detect them :D. The use of ftp.exe (ftp command line tool in C:\Windows\System32) become more prevalent being ftp is part of Windows.

But we could still lock this downloader from being executed by applying deny (execute) rule from security tab to not only all users type but also system (hopefully the virus wont reset the acls :s). For Windows Home Edition users they must use cacls.exe command line tool to provide the same effect. Renaming or deleting it wont helped cause this operation will trigger Windows' protected system files restoration.

This of course assuming you just use built-in Windows XP firewall that easily disabled by virus.

Yet there is another downloader that used by Windows intensively: BITS (bitsadmin.exe) but I haven't seen this tool being exploited.

Written this after I almost lose the battle to ali.exe trojan a.k.a qQ

No comments:

Post a Comment