Win32/Syndicasec.A

In another case of malicious software being used to target Tibetan independence activists, Win32/Syndicasec.A is not necessarily unique in its targeting of victims so much as Win32/Syndicasec.A is unusual for its advanced stealth features. Win32/Syndicasec.A is so sophisticated that, although Win32/Syndicasec.A only was identified quite recently by SpywareRemove.com malware experts and others in the industry, its campaign appears to have been active for a minimum of several months, if not even longer than that. Win32/Syndicasec.A operates on a backdoor basis, creating security vulnerabilities that allow a remote attacker to control the computer – in what appear to be a series of manually-issued instructions. Advanced anti-malware products should be used to delete Win32/Syndicasec.A, which is a high-level threat that is unlikely to give its presence away through any symptoms one could notice by eye.

Win32/Syndicasec.A: a PC Infiltrator with Familiar Goals but New Methods

Tibet is, unfortunately, one of the most common targets for backdoor Trojan and spyware attacks, and Win32/Syndicasec.A simply continues this chain of events with a new means of hiding itself on the infected computer. BKDR_RILER.SV, Troj/Agent-ZCT, Enfal, Troj/Plugx-G and Trojan.Win32.Agent.hwoo are some examples of other Trojans used in Tibetan-targeting attacks that SpywareRemove.com malware researchers previously examined.

Win32/Syndicasec.A's most interesting characteristic is its method of concealment, which ignores the Windows UAC privileges to install an extra segment of JavaScript code inside the WMI (Windows Management Instrumentation) of the Windows OS. Since the WMI is a basic part of Windows and will launch with your OS automatically, this lets Win32/Syndicasec.A's malicious JavaScript code run automatically, as well as without any individual file that could be detected as malicious. Less sophisticated anti-malware products may, in particular, be thrown off by the latter fact, although it does restrict Win32/Syndicasec.A's installation to Windows-brand operating systems.

Win32/Syndicasec.A includes some of the standard backdoor functionality that allows criminals to access your PC through a Command & Control server. SpywareRemove.com malware experts were intrigued to learn that these attacks appear to be directed manually, as opposed to the automatic botnet systems that are prominent with spambots and other large-scale malware operations. This fact has both fortunate and unpleasant implications – since it indicates that Win32/Syndicasec.A's attacks are limited in scope, but also are the result of extremely close attention to specific targets from specific malware authors.

Running a PC Perimeter that Win32/Syndicasec.A Will Not Be Able to Duck Underneath

Win32/Syndicasec.A is an advanced PC threat and, like any good backdoor Trojan, does not allow itself to display symptoms that would let you see its attacks or determine how to isolate its presence from other software. SpywareRemove.com malware experts strongly recommend deleting Win32/Syndicasec.A immediately, but they also recommend using appropriate anti-malware solutions, including trustworthy software and, if necessary, standard security features like Safe Mode.

Win32/Syndicasec.A's distribution, as well as the distribution of similar Tibet-targeting Trojans, has a high chance of being linked to website-based drive-by-downloads and targeted e-mail attacks. The former can be avoided with appropriate browser security while the latter, of course, is easily dodged by taking the right precautions around e-mail attachments and links from potentially dangerous sources. In particular, SpywareRemove.com malware experts stress that the distribution of Trojans similar to Win32/Syndicasec.A often exploit compromised websites related to Tibetan politics, which are themselves innocent domains that merely are forced to install malicious software through one of multiple browser exploits.