The Nitol trojan that is installed on computers is written in Visual C++ with a lot of bugs in the code, apparently written by an untrained programmer, McAfee researcher Itai Liba explained in a blog. The samples examined by Liba and other McAfee researchers were not packed and easy to reverse engineer. The botnet itself is relatively small and not widely known.
“Nitol copies itself to a random filename ******.exe (where every * is a randomized alphabet character) in the Program Files directory. The new file is registered as a service, “MSUpdqteeee,” with the display name “Microsoft Windows Uqdatehwh Service”, Liba explained.
Once installed, the malware connects to the botnet’s command-and-control server using a TCP socket and then sends performance information from the victim’s machine.
“It appears this information is used mainly to get an estimation of the botnet’s power and diversity. The data can be used to decide what type of DDoS tasks to give this specific bot”, Liba wrote.
The botnet is used for GenericFlood, HTTPFlood, and RawDataFlood DDoS attacks, he noted.