RSS Alerts

Share

More services

Related Stories

  • M86 Security spots Xarvester botnet rising from the e-grave
    An M86 Security researcher claims that his team has spotted the old Xarvester botnet - first seen in 2008 and accounting for 150,000 spam messages a day its peak - has rising from its electronic grave.
  • Nine Lives - Self-modifying Malware
    As the Conficker worm proved when it first appeared in October 2008, there’s more to a piece of malware code than meets the eye, especially when it is self-updating. But can self-updating also mean self-modifying? Steve Gold investigates whether an IT security manager’s nightmare has become a programming reality
  • Nine lives - when malware becomes self-modifying
    As the Conficker (aka Downadup and Kido) worm proved when it first appeared in October 2008, there's more to a piece of malware code than meets the eye, especially when it is self-updating. But can self-updating also mean self-modifying? Steve Gold investigates whether an IT security manager's nightmare has become programming reality...
  • Trojan/Badlib identified as malware distribution network
    A Symantec research team have revealed that a new trojan – Trojan-Badlib – is being used as a malware distribution network by unknown hackers.
  • New DDoS defence technology launched
    Simwood has launched a defence technology that it claims can be used defend against distributed denial of service (DDoS) attacks.

Top 5 Stories

News

New Botnets on the Prowl

16 January 2009

Two new botnets have emerged in the past few weeks, and at least one shows signs of being an upgrade to a previous botnet that wreaked havoc in the wild.

Waledac is a piece of malware that spreads via email. Over Christmas, it distributed itself as a fake greeting card, using a similar technique to the largely defunct Storm worm. According to F-Secure, the bot writes an entry to the Windows registry, and then scours all the files that it can in the infected system looking for email addresses. It then uses these mails to spread itself to other systems using the same technique.

Waledac also harvests password information from the infected system, and then sends it to a random IP address from a hard coded list. In keeping with many other modern malware instances, it is also capable of being remotely updated from a control server.

An analyst by the Shadowserver Foundation found that clicking on the link embedded in the email directs the user to a website that tries to install an executable file, and run malicious JavaScript. It found that the domains used were part of a fast flux network.

Aside from the Christmas card lure, Shadowserver notes some similarities between Waledac and Storm. Both of them use fast flux networks, along with several main servers per domain. The use of drive-by JavaScript exploits is also common to both pieces of malware. "There is also a ton of differences which we are not going to list," said the organization. "We can't save sure that they are related, but we do acknowledge a number of interesting similarities."

Xarvester, the other piece of malware, is now the third largest source of spam according to security firm Marshal. The company is heralding this worm as the new Srizbi, because of similarities in the code and techniques used by the two. In a blog post, malware said that both Xarvester and Srizbi used HTTP over nonstandard ports for command and control purposes, along with encrypted template files for spamming instructions. It also noticed similarities between the configuration files used by the two worms, and, perhaps most telling of all, both of them communicate with servers known to be in the McColo network. McColo is an ISP alleged to be the source of large amounts of spam, which had its Internet access removed late last year after complaints by investigators.

"Our samples of Xarvester and Srizbi have McColo IP addresses hard coded in them," said Marshal. " Srizbi used these as control servers and Xarvester to upload the mini dump file."

Both pieces of malware used a mini dump file that would be produced in the event of a software crash, presumably enabling their developers to further tweak the quality of the code.

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012