The family – the White Lotus botnet series – can be mistaken for the BlackEnergy v2 but, says security researcher Jose Naziro of Arbor Networks, White Lotus is not modular as with BlackEnergy v2.
"White Lotus doesn't appear to be modular, but uses some of the same grammar as BEv2, which is what got me looking at it. WhiteLotus also doesn't use encryption", said Naziro.
The bot, he explained, usually installs itself as a 60KB Windows EXE as:
C:\WINDOWS\system32\windef.exe
And to ensure the bot runs at startup, it creates a registry key called windef.exe in at least two areas.
According to Arbor Networks, White Lotus can manage downloads and also launch DDoS attacks.
Static analysis reveals that the bot is a UPX packed Microsoft visual basis binary that drops another binary that has a 'Caesar shift' of 13 positions applied to it.
In his security blog posting, Naziro says that, once analysis is completed, users can see that the bot also supports SOCKS5 proxy features.
"Other than that its a standard HTTP DDoS bot. It appears to be in limited distribution with only a handful of samples and a handful of new servers", he said.