Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL
Help

"Wicked Rose" and the NCPH Hacking Group > The GinWui Backdoor Rootkit Payload - Pg. 194

194 Chapter 5 · Crème de la Cybercrime the changing threat landscape as it related to exploitation of this vulnerability. Within the next 36 hours, iDefense gained access to multiple codes and extracted a new rootkit called GinWui. Independent research suggested the following: Exploitation targeted a new vulnerability that allowed attackers to exploit computers running fully patched versions of Microsoft Word 2002 and others successfully. Exploitation dated back to May 12, 2006, and involved at least six unique hostile exploit files. iDefense confirmed that attacks targeted two organizations, one in the United States and one in Japan. The Chinese-authored rootkits GinWui.A and GinWui.B were used in several attacks. iDefense identified the rootkits' source and authors as being Chinese: he ain't a Thespian "Wicked Rose" and others profiled later in this case study. Successful installation of the rootkit requires Administrator or Debugger rights. Initial exploitation, however, does not require Administrator rights. iDefense identified unique malicious code attacks pointing to nease.net, and authored several Snort signatures for detection of this traffic. iDefense continued to monitor other domains related to the attack. The original attack upon a large Department of Defense (DoD) entity within the USA began on May 12, 2006.Targets were apparently selected by the attacker on the basis of