Symantec researcher spots C&C botnet toolkit in the wild

According to Andrea Lelli, a security researcher with the IT security vendor's Ireland-based operation, the toolkit is a command-and-control (C&C) botnet engine that is flagged up as Trojan.Karagany by Symantec's software.

Lelli says that the malware generated by the toolkit is already circulating in the wild.

The engine itself is said to come in a pack that contains both a builder to build your own executable bot, as well as a web interface to control all a hacker's bots by sending them commands across the internet.

The security researcher says that the pack – now into version 0.3 – is relatively new and seems to have originated from Russia.

The first edition of the toolkit, he says, was discovered last month and is designed to be modular and load plugins.

Lelli reports that the $550 toolkit has some nice features, although it is not as advanced as other packs, like Zeusbot for example.

Despite the relatively hefty price tag of the kit, the researcher says that this price is only for the backdoor itself – and not the builder – plus a web interface.

"Every update to the backdoor configuration (e.g. a new url to be used for the C&C server) would require an additional cost of $30", he said in his security blog, adding that, unfortunately, the 'no honour amongst thieves' rule spares no one, and this pack is already being leaked in various forums, allowing anyone to use it for free.

Interestingly, Lelli reports that users can specify their own C&C server and communication port, and the toolkit will then create a customised backdoor.

The C&C server, he says, has a classic implementation in PHP and SQL, with two main components: the gate, which is the page being periodically requested by the backdoor listening for new commands; and the stats page, which is the administrator's page, where hackers can log in and control their bots, as well as distribute new commands.

The backdoor, meanwhile, he notes, offers very simple functionality, mainly to load other components.

"It has some common tricks to hide itself in the infected machine, in order to make it more difficult for a user to notice its presence", he said, adding that the authors of the pack also advertise that future versions of the bot will be upgraded to contain new features such as DDoS, keylogging, and support for SOCKS5 and FTP.

Despite the toolkit's sophistication in some areas, the Symantec researcher notes that the bot itself can crash the 'explorer.exe' process due to a bug in the communication with the C&C server.

If the communication fails or gets unexpected data, the backdoor code may incorrectly handle the communication data and end up repeatedly crashing the 'explorer.exe' process, rendering the machine unusable.

"This backdoor is not very widespread yet, but it has the potential to evolve into a more dangerous threat in the future; as always, we recommend the users to update their software and security products, and to use common sense in order to avoid malware", he said.

What’s Hot on Infosecurity Magazine?