Hackers Using Trojan-laced Fake Windows 7 OS to Build a Botnet
Researchers at Damballa, an online security company, warn that a counterfeit edition of the latest 'Windows 7 operating system RC (release candidate)' that has been making the rounds in the wild for long time is now building a botnet.
The fake OS that contains a Trojan controlled around 27,000 bot-infected PCs as of May 10, 2009. On this date, researchers acquired control over the C&C (command-and-control) server, which used to give instructions to the bots.
Tripp Cox, Vice-President of Engineering, Damballa, states that when the assembling of the botnet reached its peak, the bot-herder happened to be recruiting over 200 systems every hour, as reported by DarkReading on May 12, 2009. Users whose systems were compromised at first downloaded the counterfeit OS through frequently visited bootlegged software websites as well as online forums, Cox said.
Besides, the Trojan embedded in the counterfeit OS is designed to download additional malware on the compromised systems under a "pay-per-install" arrangement. The ring of people behind the software piracy earns revenue from online criminal gangs who hire them for effectively planting the extra malicious programs, said the security company.
Cox says that initially, the counterfeit software acts as a social lure and then comes the stage of downloading additional malware.
He further said, the company is still observing new installs of 1,600 malicious programs occurring daily and on a wide geographic distribution. However, since the company's takedown, the bot-herder has not been able to access any fresh installs of the counterfeit Windows 7 RC, but the previous installs remained accessible. The countries, according to Cox, which have the highest rate of installs, include the US (10%), Italy (7%) and the Netherlands (7%).
Meanwhile, Damballa claims that anti-malware based on traditional signatures will not be able to detect the Trojan tucked inside the Microsoft Windows 7 counterfeit edition; therefore, users need to adopt more advanced security software.
In a similar instance of botnet-building with counterfeit software, Damballa experts said, in 2008, bot-herders tried to assemble a Mac botnet with PCs that contained pirated editions of iWork'09 plus the Adobe Photoshop CS4 of Mac.
Related article: Hackers Redirect Windows Live Search to Malicious Sites
» SPAMfighter News - 22-05-2009