Today we announced our recent discovery of a network of 1.9 million infected computers controlled by cybercriminals. This is one of the largest bot networks controlled by a single team of cybercriminals (or cybergang) that we found this year. In this blog post we will provide you with additional details about this network, the malware in use and how the operators are using it to make money – after all, this is the main drive for cybercrime today.
We found that the botnet’s command and control server is hosted in Ukraine. As folders on this server were left open, we were able to get more information for our research.
The following screenshot sheds some light on the number of infected computers this cybergang managed to infect. Actually we have seen this number increasing during our research - on an hourly basis.
The server has a nice backend management application making it easy for the attackers to manage the infected machines. One of the management console features that we identified is a Command Editing panel through which instructions are sent to the infected machines (bots).
We have seen commands asking the bots to download and execute additional malware, download settings files, apply update files etc.
Following is an example of such a command being sent to the infected machines:
This command instructs the bot on the infected computers to download and execute a Trojan horse. As indicates on the VirusTotal report below, only 4 out of 39 Anti-Virus products detected this Trojan.
The description field of this command led us to a hacker’s forum in Russia with a post requesting to trade in infected computers.
Let’s image for a moment that your infected computer is being traded without you knowing about it……..or that your company’s infected computer is being traded…..And what about your government agency infected computer being traded ….. Isn’t it scary?!
Here is another instruction sent to the botnet:
This command instructs the infected machines to download and execute a Trojan horse that later installs a group of other malicious executables without the user’s consent.
Downloaded files that were identified include SENEKA[removed].DLL; Zch[Removed].exe and many others. When inspecting these files, we identified that they can perform the following actions: read email address and other details from the infected computer; communicate with other computers using HTTP protocol; execute a process; inject code into other processes; visit websites without end-users’ consent; register as a background service on the infected computer and a few dozen other commands.
Below is a partial log of the downloaded files:
joebox.org analysis
Those were only two examples; below is a screenshot of some others as shown on the management console:
Overall, the cybergang can remotely execute anything it likes on the infected computers.
The log file on the server disclosed the IP addresses of the infected computers and their names in the network. After running them via our Geo IP database we found the following distribution of the botnet around the world:
- US: 45%
- UK: 6%
- Canada: 4%
- Germany: 4%
- France: 3%
- Other: 38%
In conclusion, we notice that the volume of infected computers that we identify around the world keeps growing year by year.
Posted by MCRC
Subscribe