The Kaspersky discovery is a fileless bot. These are particularly difficult to analyze because they do not store malware on the victim’s computer – instead, they inject the malware directly into memory. When the computer powers down, the infection is ‘destroyed’. Its strength is that it becomes difficult to locate; its weakness is that it requires constant re-infection.
The botnet discovered by Kaspersky achieved that re-infection by first compromising an Adfox news teaser system. Russian media sites using the system were covertly directed to a malicious website containing a Java exploit, which if successful injected malware into the victims’ computer memory - typically the Lurk banking trojan. The nature of the relationship between media sites and news servers made it likely that victims would frequently return and frequently get re-infected.
“This attack targeted Russian users,” noted Kaspersky in a blog report. “However, we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process.”
The ESET discovery, named Win/32 Georbot, is centered in Georgia (initially targeting only the UTC+3 or UTC+4 time zones), and involved a compromised Georgian government server (ESET is quick to note that the government is not involved and has been actively co-operating in the research). The bot has been around since at least September 2010, with the latest version, 5.5, released in February 2012.
Clues within ESET’s research point to the purpose of this bot. For example, the command set within the bot is activated manually by the bot owner and instructions are sent to each host individually rather than being broadcast to all infected hosts. This is a highly targeted bot. The commands include traditional bot operations, such as launching a DDoS attack and stealing browser passwords and history; but it also has a number of commands allowing detailed file searching both of folders and Word document content, and the ability to capture audio and video from the microphone and webcam. Clearly, as ESET says in its own analysis, Win32/Georbot “was created to gather information from infected hosts,” and that “the fact that it uses a Georgian website to update its command and control information, and that it probably used the same website to spread, suggests that people in Georgia might be a primary target.”
But why? Not only are the people of Georgia likely to be the prime target, it is possible that they are the only target. While the Carberp botnet seems to have been developed and first tested in Russia, it is now spreading outwards around the rest of the world. But Georbot is not following a similar pattern. “We do not think this is an exercise since we were able to find variants of the bot dating back to 2010,” ESET’s security intelligence program manager Pierre-Marc Bureau told Infosecurity. “This seems too long for a test period.” But ESET similarly doubts the next most obvious conclusion. The level of sophistication in this bot is low. “We think that if this operation were sponsored by a state, it would be more professional and stealthy.
“The most likely hypothesis,” suggests ESET, “is that Win32/Georbot was created by a group of cyber criminals trying to find sensitive information in order to sell it to other organizations.” Unless, of course, it’s a double bluff...