Another Round of Peacomm Infections Underway
, Symantec Security Response 2008-08-14
The Peacomm network has definitely turned out to be a survivor. With infections dating back to January 2007 and a P2P structure largely unchanged in about a year, Peacomm continues to evolve and infect new hosts. In early August our honeypots began capturing a new version of Peacomm. This iteration has been relatively low key as it propagates via users visiting infected Web sites, rather than by spam. Although Peacomm has been distributed via infected Web sites in the past, they were usually Web sites that were spammed to users as opposed to relying on drive-by downloading to gather its new recruits.
The attack toolkit used to install Peacomm in these drive-by attacks has changed as well. The infection begins with a user visiting an infectious Web site, which silently redirects the user to hostile content on a set of registered domains via an IFRAME. At this point, Kallisto TDS will serve a set of exploits against the victim. These include Acrobat PDF CollectEmailInfo, ANI Header Size, and MDAC.
Symantec IPS (NIS, NAV, N360, SEP, and SCS) will detect these attacks as follows with existing signatures:
HTTP ANI File Hdr Size BO
HTTP Malicious Toolkit Download Activity
HTTP MS Unsafe ActiveX Obj Instantiation
If a system were to become infected, the Peacomm P2P traffic will be detected as:
BD Peacomm Trojan - and the bot would be detected by antivirus as Trojan.Peacomm.
