Malware researchers at Trend Micro have analyzed a malware that connects to the home routers and scan the home network then send the gathered information to CC before deleting it self .
TROJ_VICEPASS.A pretends to be an Adobe Flash update, once its run it will attempt to connect to the home router admin council using a predefined list of user names and passwords. If its succeed, the malware will scan the network for connected devices.
The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, this IP range is hard-coded
Once the scans is finish it will encode the result using Base64 and encrypt it using a self-made encryption method. The encrypted result will be sent to a CC server via HTTP protocol.
After sending the results to the Command and Control server (CC) , it will delete itself from the victims computer. It uses the following command to do so:
- exe /C ping 184.108.40.206 -n 1 -w 3000 Nul Del %s
Such type of malware infection can be avoided using a very basic security techniques such as downloading updated and software from a trusted sources only and changing the default password of your equipments.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.