I just watched this malware do a man in the middle attack on one of my clients paying for a service using their credit card and cannot find any source to confirm it is in fact Sunspot so I can verify post removal process. No anti-viruses detect it! http://www.net-security.org/malware_news.php?id=1719 Any ideas?
Asked
Active
Viewed 170 times
1 Answers
1
I would look at the two registry keys mentioned in the article you posted, this is where it launches from.
Once installed, Sunspot is started either by "rundll32.exe" via
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
or via
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components.
It uses CBT hooking to load its DLL into the browser (Internet Explorer/Firefox).
Or better yet use a browser it does not "hook", like Chrome Browser
Moab
- 58,769