View Single Post

Default 

July 26th, 2014, 12:18
A new Trojan called Retefe is uninstalling itself after the infection - and it is still able to effectively operate, though indirectly, then.

More information for example here : http://www.microsoft.com/security/po…Retefe.A#tab=2

Payload

Steals sensitive information

Trojan:Win32/Retefe.A can steal sensitive information from your PC, such as your online user names and passwords. It does this by installing a fake self-signed certificate and intercepting traffic through your Internet browser.

It installs a fake self-signed certificate with the thumbprint 3DDF56A7004D90034D77E2D97F68C56FAA3C93AD:

[ef51a7616b853ac2.png]

It then installs the self-signed certificate to be used by the Firefox browser.

It also changes the DNS server to an IP address of a server controlled by the attacker. We have seen the following IP addresses being used:

193.169.244.191
93.171.202.99

Stops processes

Trojan:Win32/Retefe.A terminates the following processes if they are running:

iexplore.exe
firefox.exe
chrome.exe
In short, the Trojan installs its own self-signed certificate, and redirects browsers to the trojan's web sitres, which appear to be trustable, because of the trojan's certificate …

Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction. (E.F.Schumacher, Economist, Source)
Alrik Fassbauer is offline

Alrik Fassbauer

Alrik Fassbauer's Avatar
TL;DR

#150

Join Date: Nov 2006
Location: Old Europe
Posts: 16,057