A few weeks ago, our FortiGuard Labs Threat Intelligence system discovered some new suspicious samples as usual. One of these samples caught our attention when we checked its network traffic. For this particular sample, which Fortinet already detects as W32/Foreign.LXES!tr, we found that most of its communication has the HTTP/1.1 404 Not Found status, which should mean that some error has occurred generally. But when we analysed the data further, we realized that it was actually a special trick. The Ping & Pong Commands When it first... [Read More]
by RSS He Xu  |  Apr 09, 2015  |  Filed in: Security Research
Andromeda is a botnet that has had a long history. The latest version is now 2.09, which most active bots would have already received. Recently, however, our FortiGuard Labs Threat Intelligence system was able to capture the activities of a previous variant of Andromeda that is apparently still alive. During our analysis, we found that it is a cracked version of an old variant, and the author used it for spreading a Bitcoin miner. Andromeda 2.06 The network traffic of most Andromeda variants are very similar - the sent data is Base64-encoded,... [Read More]
by RSS He Xu  |  Jan 07, 2015  |  Filed in: Security Research
Darkness, a.k.a. Optima, is a bot that majors in performing distributed denial-of-service (DDoS) attacks. This botnet is an old one that has been in the Russian cybercrime underground market for a long time. Since 2013, there has been no new update and so most variants are down. According to our botnet monitoring system's continued tracking, there is still one variant that has been active for almost one year. During this period, this DDoS bot has performed several attacks. The sample we captured is without a packer, so we could see its code clearly.... [Read More]
by RSS He Xu  |  Jun 19, 2014  |  Filed in: Security Research