bot


Introduction Fortinet recently discovered a new botnet capable of stealing large amounts of user information, as well as remotely manipulating compromised machines. The malware appears to be based on an older botnet known as Grabbot, which was first discovered back in November of 2014[1]. This new variant improves on that existing functionality while adding several dangerous new features. This blog aims to offer a quick insight into how Grabbot functions. Replication The bot can be found hosted on a number of compromised websites with a... [Read More]
by RSS David Wang and He Xu  |  Mar 17, 2017  |  Filed in: Security Research
A few weeks ago, our FortiGuard Labs Threat Intelligence system discovered some new suspicious samples as usual. One of these samples caught our attention when we checked its network traffic. For this particular sample, which Fortinet already detects as W32/Foreign.LXES!tr, we found that most of its communication has the HTTP/1.1 404 Not Found status, which should mean that some error has occurred generally. But when we analysed the data further, we realized that it was actually a special trick. The Ping & Pong Commands When it first... [Read More]
by RSS He Xu  |  Apr 09, 2015  |  Filed in: Security Research
Recently, we found a simple malicious downloader that downloads a fake PDF file.  Unlike a normal malicious loader that integrates the PE Loader code into its binary, this loader has stripped this part and has turned to fetching it online. Our FortiGuard Labs Threat Intelligence system can detect the traffic of this downloader, which we are detecting as W32/Upatre.FT!tr, efficiently aiding in the analysis of this malware. Registering Online Once executed, the loader grabs the local victim’s system information, generates them... [Read More]
by RSS He Xu  |  Feb 23, 2015  |  Filed in: Security Research
A few weeks ago, we received a file that was being spread as an attachment in a spear phishing email. The sample, which we are detecting as W32/Byanga.A!tr, turns out to be a dropper for a bot which, if active in an organization’s system, has the capability to perform malicious activities that can be very damaging to the targeted organization. This post discusses what this particular malware can do. The Dropper The dropper used a Chinese file name, which translates to “Upcoming Events Schedule”.  It also uses a Microsoft... [Read More]
by RSS Margarette Joven  |  Jan 14, 2015  |  Filed in: Security Research
At the end of October, a bot that we have not tracked before appeared in our system. Our initial analysis of its features got our attention as it revealed some behaviour that are considered dangerous to infected users. After tracking its history using our monitoring system, we found out that it has been distributed by a well-known botnet, Andromeda 2.09, since September, 2014. As a new addition to the botnet families that we are continually tracking, we are now going to discuss our initial analysis of this botnet, which is named Recslurp. In this... [Read More]
by RSS He Xu  |  Nov 17, 2014  |  Filed in: Security Research
Dofoil, also known as Smoke Loader, is a modularized botnet that has existed for a few years. Since 2013, we have not received any new variants of this bot and the command-and-control (C&C) servers of its previous variants are no longer accessible, making Dofoil seem like a dead botnet. In September 2014, however, we have received a brand new Dofoil variant that carries more features. This blog post will discuss our brief analysis of this new variant, which we are detecting as W32/Zurgop.BK!tr.dldr. New Dofoil? The previous Dofoil botnet... [Read More]
by RSS He Xu  |  Nov 12, 2014  |  Filed in: Security Research
Wei Wang, RAP Team Jia Wang, RAP Team Jiaying Su, RAP Team First discovered in 2007, the botnet malware known as Pushdo quickly became known as one of the most prolific sources of email spam in history. At its peak, it was estimated that Pushdo was singularly responsible for sending up to 10 billion spam messages per day. The Pushdo module itself functions as a mildly complex downloader that allows it to fetch other components and tools from its command-and-control (C&C) server. The actual mechanism for sending spam is contained inside some... [Read More]
by RSS Wei Wang  |  Sep 22, 2014  |  Filed in: Security Research
Tags: botnet bot pushdo
DorkBot is another modified IrcBot that is extremely similar to NgrBot, which is why many antivirus software treat them the same way, oftentimes using the same detection. Our botnet monitoring system has even captured NgrBot and DorkBot at almost the same time. However, according to a deeper analysis of both NgrBot and DorkBot, we find that they should be treated differently. In this blog post, we will discuss the similarities and differences of these two botnets. Version Number The hardcoded version number of DorkBot that we received is the... [Read More]
by RSS He Xu  |  Aug 12, 2014  |  Filed in: Security Research
Asprox, a.k.a. Zortob, is an old botnet that was uncovered in 2007. It is known to spread by arriving as an attachment in spam emails that purport to be from well-known companies. The attachment itself is disguised as a legitimate document file by using icons such as those of a .doc or .pdf file. Figure 1. Asprox malware posing as a Microsoft Word document. This blog post will give an overview on Asprox's functionality with a focus on the changes in its communication with the command-and-control (C&C) server, including a new C&C command,... [Read More]
by RSS Long Tran  |  Jul 28, 2014  |  Filed in: Security Research
NgrBot is a modified IrcBot. It has the capability to join different Internet Relay Chat (IRC) channels to perform various attacks according to the IRC-based commands from the command-and-control (C&C) server. Recently, our botnet monitoring system captured an NgrBot variant with hardcoded version 1.1.0.0. Figure 1. Hardcoded version 1.1.0.0. This new version of the bot carries new features that are much more harmful than before, including the ability to destroy data in the user's hard drive. Wiping The Hard Drive This new version of... [Read More]
by RSS He Xu  |  Jul 10, 2014  |  Filed in: Security Research