bot | Page 2


Introduction The Zeus malware, a.k.a. Zbot, is a bot that is capable of stealing private and sensitive information including personal passwords and banking information from infected hosts. Its command-and-control (C&C) server can also control the action of its remote bots by sending various command strings, such as updating malware, executing other malware files, and so on. Recently, we have discovered a new variant of this malware that we are calling Lite Zeus. Aside from being shorter with fewer functionalities, it has several other distinct... [Read More]
by RSS Kan Chen  |  Jun 26, 2014  |  Filed in: Security Research
Darkness, a.k.a. Optima, is a bot that majors in performing distributed denial-of-service (DDoS) attacks. This botnet is an old one that has been in the Russian cybercrime underground market for a long time. Since 2013, there has been no new update and so most variants are down. According to our botnet monitoring system's continued tracking, there is still one variant that has been active for almost one year. During this period, this DDoS bot has performed several attacks. The sample we captured is without a packer, so we could see its code clearly.... [Read More]
by RSS He Xu  |  Jun 19, 2014  |  Filed in: Security Research
Earlier this week, the United States Computer Emergency Readiness Team (US-CERT) released an advisory regarding the GameOver Zeus P2P Malware. Along with that advisory was a national press release from the US Department of Justice and the FBI that announced a multi-national effort against the GameOver Zeus botnet. GameOver Zeus, a.ka. P2P Zeus, is a sophisticated type of malware that is used by cybercriminals to steal infected hosts' banking information, install other malware, and perform DDoS attacks and other cybercrime-related activities.... [Read More]
by RSS Margarette Joven  |  Jun 06, 2014  |  Filed in: Industry Trends & News
Bublik is a downloader malware that is used mostly for spreading P2P Zbot and other major bots. Over the years that our botnet monitoring system has tracked this bot's activities, we have found that this simple downloader has had at least three major updates that are directed more towards escaping detection from security software. Overview of Bublik Bublik is a simple one-time execution bot; it does not add any autorun registry entries. Once executed, it copies itself to the user's Temporary folder using the name budha.exe. The bot modifies this... [Read More]
by RSS He Xu  |  May 29, 2014  |  Filed in: Security Research
Andromeda is an infamous modular botnet that has been around for several years now. It is very popular in the underground cybercrime market, with many different variants that use different RC4 keys in encrypting and decrypting its network packets. Since the beginning of 2014, we have found that the version number, which can be seen in its network traffic, has turned to 2.08. This new version is very similar to the previous version 2.07. The main difference can be found in the beginning of the codes, which contain Andromeda's anti-analysis tricks.... [Read More]
by RSS He Xu  |  May 19, 2014  |  Filed in: Security Research
Lethic is a proxy bot with an extremely long history that started in January 2010. It is most known for spreading spam emails to earn as much money from the underground market as possible. In March 2014, our botnet monitoring system found that Lethic has now transformed into a clicker bot. Lethic's Spamming Method As a proxy bot, Lethic only transfers data between its command-and-control (C&C) server and its target. When spreading spam emails, the bot receives the business SMTP email server's IP address and port from the C&C server (see... [Read More]
by RSS He Xu  |  May 06, 2014  |  Filed in: Security Research
Neurevt DDoS attacks are endless. Our Fortinet botnet monitoring system found more DDoS attacks raised by Neurevt. UDP Attack About two weeks ago (April 18), Neurevt began to perform new DDoS attacks on a web site that is located in the British Virgin Islands. The domain has the suffix .ru, which means it belongs to Russia. The attack method is only UDP, and the target port is 80, which is the default for web browsing. This web site is an online forum on finance and investing. HTTP GET Attacks Two days later (April 20), the Neurevt command-and... [Read More]
by RSS He Xu  |  Apr 30, 2014  |  Filed in: Security Research
Special Technical Contribution by He Xu, Senior Antivirus Analyst P2P Zeus, a.k.a. Zbot, has evolved into a powerful bot since its discovery in 2007. It is capable of stealing infected hosts' banking information, installation of other malware, and other cybercrime-related behavior. Currently, P2P Zeus supports both the UDP and TCP protocols for its various communication tasks including peer list exchange, command-and-control (C&C) server registration, and malware binary updates. Early this month, our Fortinet botnet monitoring system found... [Read More]
by RSS Kan Chen  |  Apr 21, 2014  |  Filed in: Security Research
Neurevt, a.k.a. Beta Bot, is an infamous bot that has caught our attention since March 2013. This bot carries many efficient modules that meet most of the requirements for cybercrime-related purposes, including the ability to launch distributed denial-of-service (DDoS) attacks according to commands issued by its command-and-control (C&C) server. Neurevt supports several methods of DDoS attacks, such as UDP, TCP, HTTP GET, etc. Recently, one Neurevt variant raised a huge DDoS attack from its network of compromised computers. This attack was... [Read More]
by RSS He Xu  |  Apr 09, 2014  |  Filed in: Security Research
[ This article originally appeared in Virus Bulletin ](http://www.virusbtn.com/virusbulletin/archive/2013/11/vb201311-Neurevt) Neurevt (also known as Beta Bot) is an HTTP bot [1] which entered the underground market around March 2013 and which is priced relatively cheaply [2]. Though still in its testing phase, the bot already has a lot of functionalities along with an extendable and flexible infrastructure. Upon installation, the bot injects itself into almost all user processes to take over the whole system. Moreover, it utilizes a mechanism... [Read More]
by RSS Zhongchun Huo  |  Jan 29, 2014  |  Filed in: Security Research