Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Last week, Trend Micro was alerted to the increasing number of ILOMO infections.  ILOMO Trojans  (some examples are TROJ_ILOMOB.,TROJ_ILOMO.F, and TROJ_ILOMO.L) arrive on systems via Web-based exploits and use different infection routines for the payload.

    Notable with these variants is that even when users have deleted the malicious file from the hard disk, its code remains actively injected in system memory. In effect, users are continuously annoyed of the reinfection symptoms.

    Analysis of TROJ_ILOMO’s spaghetti-like code reveal several things. Once running in an infected system, a variant updates its own Gates-List which is probably part of the infected nodes that forms its peer-to-peer botnet. This model is quite similar to the one used by the Storm botnet. The malware saves this list in the registry.

    Figure 1. Registry list.

    Entries on the list have the format {IP address}/{certain strings} and they are considered to be a list of compromised machines.

    With an updated Gates-List, the ILOMO malware then attempts to access the sites and download binary encrypted data. It stores the values in the local registry in values named M00, M01, and M02. The ILOMO Trojan decrypts then the data, which in fact forms an malicious executable code that is later injected to certain Internet Explorer processes.

    Figure 2. Injected code.

    Once found, it injects the downloaded and now decrypted code and executes this remote thread. This said thread enables ILOMO to perform additional malicious activities on the infected system. TROJ_ILOMO variants have also been found to send and receive information from certain IP addresses, thereby compromising system security. Confidential or private information may find its way to cybercriminals in this attack too.

    Trend Micro Smart Protection Network already detects and blocks TROJ_ILOMO and its adjacent droppers, preventing them from executing in systems.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice