Gamarue Designed for Hosting Malware Obtained from SourceForge

Trend Micro the security company, lately, during its monitoring exercise over a malicious software namely Gamarue, discovered one sample, which harbored harmful files with the help of SourceForge the popular cache containing online codes. The security company tells that the discovery is the most recent happening witnessed since the rising contamination instances noticed during the preceding month -May 2013.

The code repository SourceForge, notably, helps in hosting numerous open-source tasks by providing to project implementers certain website free-of-cost which lets them to float as also handle their projects on the Internet. Presently, it's supporting over 324,000 such tasks while providing over 4m downloads on a single day. SourceForge is popular because it's the perfect place where its users can obtain their required malicious codes.

Interestingly, Trend Micro's analysis of the first attack stage has revealed 4 files: one shortcut file, which seemingly leads onto certain external drive; one desktop.ini file; one .com file; and Gamarue the most vital file, in the guise of thumbs.db.

It has been further disclosed that both the shortcut and .com files are interconnected with the former leading onto the latter that in turn runs the desktop.ini a camouflaged executable. Subsequently, the desktop.ini plants Gamarue the malware Trend Micro recognized to be WORM_GAMARUE.LJG.

This malware file when decoded, makes itself up-to-date followed with downloading more malware from SourceForge via one of its projects known as "tradingfiles."

Now, for his attack, the perpetrator launched 2 more SourceForge projects, which harbored malevolent Gamarue files namely "ldjfdkladf" and "stanteam." As per specialists, these projects have been updated with additional fresh files since June 1, 2013.

It maybe mentioned that Gamarue infection enables cyber-crooks to compromise computers and filch data stored on it. It also helps execute assaults from one contaminated PC onto others. The malware propagates through BlackHole the popularly-used attack toolkit, and detachable drives.

Trend Micro, within its 2013 forecasts, indicates that in 2013, genuine cloud-providers may get attacked, with the SourceForge site as the most appropriate target for online-criminals.

Meanwhile, the company without delay alerted SourceForge regarding the malicious files for their removal from the code-repository's servers at the earliest.

» SPAMfighter News - 6/19/2013