Bot Review

Table: Bots under analysis (February 2014, Lavasoft MAS).

Bot distribution in February:

Kelihos

Kelihos continues to download new versions of itself, now using the following url mask:

http://[IP Address]/mod[id]/[file name].exe

For example:

hxxp://77.122.80.243/mod2/keybex1.exe
hxxp://178.150.171.207/mod1/keybex1.exe

You can find the latest description on Kelihos here.

Cycbot. Shows no sign of disappearing soon. You can find the latest description on Cycbot here.

Shiz. The backdoor is still alive despite decreased number of occurrences. The latest example is here.
The list of domains Shiz connects to:

URL	IP
hxxp://digivehusyd.eu/login.php	69.195.129.70
hxxp://gadufiwabim.eu/login.php	50.116.56.144
hxxp://kefuwidijyp.eu/login.php (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 3) , Malicious)	173.230.133.99
hxxp://vofozymufok.eu/login.php	209.160.22.9
jefapexytar.eu	50.116.56.144
fokyxazolar.eu	50.116.56.144
xuqohyxeqak.eu	50.116.56.144
cihunemyror.eu	50.116.56.144
lyruxyxaxaw.eu	50.116.56.144
www.bing.com	204.79.197.200
foxivusozuc.eu	50.116.56.144
ryqecolijet.eu	50.116.56.144
puregivytoh.eu	Unresolvable
gahihezenal.eu	Unresolvable
qegytuvufoq.eu	Unresolvable
vojacikigep.eu	Unresolvable
makagucyraj.eu	Unresolvable
tucyguqaciq.eu	Unresolvable
nozoxucavaq.eu	Unresolvable
puvopalywet.eu	Unresolvable
ciliqikytec.eu	Unresolvable
tunujolavez.eu	Unresolvable
xutekidywyp.eu	Unresolvable
dikoniwudim.eu	Unresolvable
divywysigud.eu	Unresolvable
lyvejujolec.eu	Unresolvable
puzutuqeqij.eu	Unresolvable
fobonobaxog.eu	Unresolvable
rydinivoloh.eu	Unresolvable
lysovidacyx.eu	Unresolvable
qeqinuqypoq.eu	Unresolvable
magofetequb.eu	Unresolvable
tupazivenom.eu	Unresolvable
rytuvepokuv.eu	Unresolvable
qetoqolusex.eu	Unresolvable
masisokemep.eu	Unresolvable
gatedyhavyd.eu	Unresolvable
fodakyhijyv.eu	Unresolvable
cicaratupig.eu	Unresolvable
vocumucokaj.eu	Unresolvable
nofyjikoxex.eu	Unresolvable
tuwikypabud.eu	Unresolvable
kepymexihak.eu	Unresolvable
xuxusujenes.eu	Unresolvable
lymylorozig.eu	Unresolvable
jepororyrih.eu	Unresolvable
xubifaremin.eu	Unresolvable
dimutobihom.eu	Unresolvable
voniqofolyt.eu	Unresolvable
fogeliwokih.eu	Unresolvable
dixemazufel.eu	Unresolvable
qederepuduf.eu	Unresolvable
kemocujufys.eu	Unresolvable
nojuletacuf.eu	Unresolvable
rynazuqihoj.eu	Unresolvable
marytymenok.eu	Unresolvable
jejedudupuc.eu	Unresolvable
volebatijub.eu	Unresolvable
ciqydofudyx.eu	Unresolvable
cinepycusaw.eu	Unresolvable
keraborigin.eu	Unresolvable
pumadypyruv.eu	Unresolvable
nopegymozow.eu	Unresolvable
galokusemus.eu	Unresolvable
jewuqyjywyv.eu	Unresolvable

Zbot. We counted 197 backdoors this month, 94 of them install a Tor client to communicate with the C&C. server. You can find the latest description on Zbot here
NrgBot/Dorkbot. The latest description is here.

Rbot. The latest description is available in Malware Encyclopedia.

Read the part 1: Lavasoft Security Bulletin - February 2014: Under the Dropbox Umbrella.