Tag Archive | Botnet

Updated Details: Gozi Malware Back with More Money Stealing & Sophistication

It seems as if security firm, Trusteer, has identified a new variant of the Gozi financial malware. This one is more sophisticated and requires your attention. This new variant infects the Master Boot Record (MBR) on your computer — which is a boot sector software device that resides at the beginning of your hard drive that tells your computer how to boot up.

Just like TDL4, another MBR infector, this malware is hard to detect and remove. The main idea behind Gozi, though, is to wait for Internet Explorer to be launched on the victim’s machine, and malicious code is injected into the Process. This allows the malware to intercept web traffic, and inject its own code to webpages, misleading the user and collecting financial information (as well as social security numbers, birth dates, etc.).

Some speculate other developers have taken over, since apparently the main developer as well as accomplices were arrested not long ago. Looks like the new developers have a more sophisticated twist on the whole situation.

What’s different? The MBR rootkit component. This component makes the malware more sophisticated, because the removal of such threat can cause the computer to fail booting. The main problem at trying to fix infections in the MBR is that occasionally, the backup code that is placed in a different sector, is modified to not work when the infection locks in. This makes you have to keep it on the machine. However, it’s more effective to use private tools to help remove it.

One of the private tools, well sort of private, is the Kaspersky Rescue Disc. There are others that are available also, including TDSSKiller, which may or may not work out correctly.

If you need further help, we would love to assist. Please comment at any time!

Kelihos Botnet Appears Again with New Variant

Kelihos appears again with a new variant as many researchers have discovered. The variant enables it to remain dormant on the machine with sinkholing techniques, and other rootkit-style operations. It hides domains, and does many other things to conceal itself, as researchers have discovered.

This is the third attempt for the Kelihos botnet. When it got shutdown back in 2011 by a collaborative effort between Kaspersky Lab and Microsoft, it was figured that it was a P2P botnet, which made it more difficult to shutdown completely all operations for the botnet. At least its main servers were cut off, but it didn’t stop the malware from spreading since tons of blackhats still had the malcode on their own server/computer.

Researchers at Deep End Research and FireEye have new samples that have been analyzing, and after some impressive research, it was found that the Kelihos network is back on the rise.

“Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior. Besides making a call to the function SleepEx(), the code also makes a call to the undocumented API NtDelayExecution() for performing sleep,” Abhishek Singh and Ali Islam of FireEye wrote in an analysis.

Experts are trying to discover the new roots, and another takedown may be in order. This is insanity.

Symantec Teams With Microsoft to Destroy Bamital Botnet

The Bamital Botnet, known for grossing about $1 million a year using fraudulent means has been destroyed by the investigative teams of Microsoft and Symantec. With help from the feds, the two teams collaborated in the investigation of a number of data centers for the botnet servers. This operation is the sixth operation in the past three years to take down botnets, titled Operation b58. This operation began around a year ago, when Symantec approached Microsoft with intent to collaborate and take down this botnet.

The most notorious means of the botnet are very typical, inflicting a fraudulent payload via search redirects. The victims were lured in to a scam (social engineering), in which malware was then installed to infect the machine. Once done, the victim will do their normal activities including searching, which the malware will redirect to scam sites, selling fake (or legitimate but modified) software or services, attempting to steal credit card data.

For the last two years of its continual attack on internet users, the botnet totaled 8 million computers, approximately, and stole/racked in around $1 million USD. Right now, it’s estimated that anywhere from 300,000 to 1 million computers are still infected with the botnet.

During the takedown operation, Microsoft’s crew constructed a lawsuit against the botnet operators to pull the plug on the zombie network. Yesterday, February 6, after the request was granted by the court, Microsoft was escorted by the US Marshals Service to go to every facility in Virginia and New Jersey to seize servers.

According to Richard Boscovich, assistant general counsel with Microsoft’s Digital Crimes Unit, the operators of the Virginia data center were persuaded to take down the server at the parent facility in the Netherlands.

Many of the cybercriminals involved include about 18 of them, scattered all around the world from the US, to the UK, to Australia, and even Romania.

Cleaning Up

Microsoft and Symantec seek to help users who’re infected. The search redirect and querying system by the rogue servers will be broken, therefore the search function on victim computers will be broken, too. There will be removal tools to help this, as well as the ability to repair the broken functions.

It is sure this will make it a lot harder for the cybercriminals behind Bamital to restart their servers, as Microsoft and possibly others like the feds and Symantec, have the servers in their custody.


Advanced analysis: Uncovering the Trojan Prinimalka Botnet Malware

A Gozi-looking variant, Trojan Prinimalka, is identified in the Project Blitzkrieg related issues for this Fall. It’s unclear if the botherders are part of Project Blitzkrieg, however, it most certainly looks like them. This botnet issue is described as a “war on banks” and that “banks are not ready”.

What’s more is that with the attacks on banks, like on HSBC a few weeks ago, to JPMorganChase banking over a month ago – it seems unclear if the botnet was used to construct these attacks. Security researchers of top research firms are unsure of the conditions of the attacks, and have made many attempts to get some data to help investigate all of this.

Here will be described some of the details of the malware used in this botnet, Trj.Prin as seCURE Connexion labels it, or its main names Gozi-Prinimalka or just Trojan.Prinimalka.

Confused yet? Trojan.Prinimalka is a banking trojan used for a botnet, which is then used as a means to DDoS a banking website/server.

Two distinct variants used: “gov” and “nah”

Generalities of both variants

  • Mutex: sdfsdfsdfsdfsfsdfsdfsdfsdfsdf
  • Configuration values for the botnet are automatically added by the dropper to the Registry under “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion”
  • A random port is added to localhost (, which allows the type 2 proxy SCKS command to function, and binds itself to cmd.exe on localhost for the TELN command.
  • Makes anonymous requests to banking websites via the zombie computer (the victim’s computer).
  • It attempts to inject itself inside of normal Windows System Processes, such as services.exe, svchost.exe, SYSTEM, smss.exe, winlogon.exe, lsass.exe, csrss.exe, etc.
  • There are different bank URLs targeted also, that can be used in a bait-and-switch operation. Mainly acting like a HOSTS file, where it can change the URL and redirect the banking site, so login information or other personal information can be obtained.
  • Quick whois queries on the IP addresses identifies “Ruslan Storozhenko” (Yes?) at hosting company “Tehnologii Budushego LLC”. Which this comes at no surprise, since the ngrBot was hosted at Tehnologii Budushego LLC. Not saying the hosting company is bad, however, the company should be on big watchout for fraudulent activity.
  • The IP address is related to multiple password stealing and banking trojans. Project Honeypot calls the IP address part of a dictionary attacker and content spammer.


  • Below is the general configuration and commands.
  • Type 1 command example on XP system: GET /system/prinimalka.py/command?user_id=33520xxxxx&version_id=022201&crc=00000000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: 213.***.**.104
  • Dropped files:
    • %UserProfile%\govXXXX.exe–the “X”s are random lowercase letters
    • %UserProfile%\govtemp1.exe
    • %UserProfile%\govold.exe
    • %UserProfile%\govcookies.txt
    • %CD%\govcookies.dat
  • To be able to proliferate the malware through the system, it has to first start with govtemp1.exe, which is the dropper/downloader. It then will attempt to update with govold.exe to make sure it has a new version. Sometimes it decides if a shutdown is needed, especially if the computer cannot be used in the botnet (I.E. computer not powerful enough, too much lag, etc.), it will overwrite the first four bytes of “\\.\PHYSICALDRIVE0” and then shutdown the computer.
  • It maintains its presence on the machine by monitoring/reinstalling as needed, with govXXXX.exe.
  • Primary command & call address (C&C):
  • Configuration can be changed to nah as described below.


  • Other than having very similar features to the gov variant, except that the files are prefixed with “nah” instead of “gov”.
  • It does have a different configuration for its command (type 2 command, XP system): GET /system/prinimalka.py/options?user_id=33520xxxxx&version_id=022201&crc=34661b26&uptime=00:00:00:59&port=5641&ip= HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: 193.xxx.92.xxx

Overall, this banking trojan has quite some robust actions, but nothing real new. It appears like the Gozi trojan quite a bit, and may be a competitor to some other botnets like TDL or something.


To protect against botnets and other malware, don’t miss out on your chance for security software below (two specials):


Kaspersky ONE Universal Security – $25 off & get Laplink PCmover Home FREE!

$25 OFF Kaspersky ONE Universal Security

Get avast! Internet Security 7 for 25% off now!

ZeroAccess/Sirefef infects up to 9 million PCs

The ZeroAccess rootkit, some know as Sirefef, has grown its command and control servers over the past year. Now, it has spanned all around the globe to infect up to 9 million PCs. It’s botnet started growing rapidly once it hit one million infections, and now has multiplied it by 9.

Like the new TDL4 variant, it can create its own hidden partition, which can be problematic for PC users, especially because it normally is unknown that a hidden partition exists. Tools like TDSSKiller, though, can see through its disguise. There are two total botnets, each for a 32-bit and 64-bit version (totaling 4 botnets), and usually distributed by exploits.

Fast facts:

The latest versions seem to have no kernel mode components, therefore they do not infect drivers like previously did. It instead uses usermode components and drops their own GUID (CLSID) in the following locations:

  • c:\windows\installer\{GUID STRING}
  • c:\users\<user>\AppData\Local\{GUID STRING}
  • C:\Windows\System32\config\systemprofile\AppData\Local\{GUID STRING}

It also parks its own infections in these locations:

  • C:\Windows\assembly\GAC\Desktop.ini
  • If on x64: c:\windows\assembly\GAC_32\Desktop.ini AND c:\windows\assembly\GAC_64\Desktop.ini
  • Infects c:\windows\system32\services.exe

For the ports that it uses for each version of the botnet:

  1. Port numbers 16464 and 16465 are used by one botnet for both 32 and 64 bit platforms.
  2. Post numbers 16470 and 16471 are used by the other botnet for both platforms.

It commits two types of fraudulent activity:

  1. Click fraud
  2. Bitcoin mining


Get the review of Malwarebytes’ Anti-Malware

%d bloggers like this: