MENU

The following information was obtained from the different cyber security sources and provided as a notification to all parties concerned pursuant to the mandate of the Philippine National Police  Anti-Cybercrime Group (PNP ACG).


The information provided is classified as Restricted pursuant to the PNP Regulation 200-012 on document security with impact rating of significant and threat rating of high, based on PNP Information Communication p. 22 and p.129.


SUMMARY

Trojan.GootKit is a Trojan horse that steals confidential information.  It also opens a back door and downloads additional files on the compromised computer.

This kind of Trojan comes in a form of a link in a spammed email message or may be downloaded or be spread silently through the use of web exploits.  Once it is executed, it creates an entry into the registry which runs every time a Windows system starts up.

The Trojan acts as a botnet based on the command-and-control file and may perform an access to predetermined remote locations; download and execute files; gather confidential information; inject arbitrary JavaScript code into HTML files; list, start, stop and remove processes; list, create, modify and delete registry sub-keys; list, create, modify and delete files; modify content of FTP server; send mails; and upload files from the compromised computer.

GootKit can strike in a couple of different ways, either by infecting the PC or attacking the website.  The GootKit connects to web servers using stolen FTP/MYSql credentials and modify the HTML and PHP files with extra codes.  The GootKit host searches for thousands of PCs and look for server passwords, mail passwords, unencrypted FP and MySql passwords which it uses to compromise target servers.

RECOMMENDATION

    The community are advised to follow the best practices in securing and protecting devices from Trojan.GootKit:

•    Use a firewall to block all incoming connections from Internet to services that is not for public;
•    Use strong passwords;
•    Allow only legitimate programs with minimal privileges as necessary;
•    Disable autoplay to prevent automatic launching of executable files;
•    Turn-off sharing if not necessary;
•    Turn-off and remove unnecessary services;
•    Always use updated anti-virus; and
•     Regularly change the passwords for FTP accounts.

For additional information, please refer to the following security websites:
•    https://www.symantec.com/security_response/writeup.jsp?docid=2010-051118-0604-991
•    http://www.virusradar.com/en/Win32_Gootkit.V/description
•    http://softflare.com/index.php?id=116

POINT OF CONTACT

Please contact CSRAD, PNP ACG for any inquiries related to this CYBER SECURITY BULLETIN at http://mail.pnp.gov.ph/ and This email address is being protected from spambots. You need JavaScript enabled to view it. or call 7230401 local 5337.