Arbor Networks Spotted a New Botnet Group
Arbor Networks, a security firm, recently released a research, which highlights the arrival of a completely new collection of botnets across the hacker scenario.
Notably, hackers and other cyber-criminals employ botnets for distributing spam, capturing passwords as well as launching Distributed Denial-of-Service (DDoS) attacks inundating users' servers with undesirable data. Often, these botnets, i.e., an army of zombie PCs are hired out in the form of criminal Software-as-a-Service (SaaS) to intermediary entities who're commonly recruited via Internet discussion boards.
The report reveals that "White Lotus", the new bot network, does not seem to be modular; however, the grammar it uses is similar to that of BlackEnergy v2. To explain, BEv2 (BlackEnergy 2), it relies on modern methods of injecting rootkits/processes, and uses high-level encryption along with a modular design. While the earlier BE kit indeed had a raw Trojan that concealed the malware's process and executable file, the second version of BE is a lot more advanced.
However, according to Jose Nazario, Security Researcher at Arbor Networks, White Lotus does not make use of encryption data, as reported by Infosecurity.com on April 9, 2010. Nazario explains that the malicious network normally plants its bot in the form of a Windows .exe file.
Further, according to the security firm, White Lotus can launch DDoS assaults as well as handle downloads. Its bot, when analyzed, discloses that it's a Microsoft binary of visual basis packed with Ultimate Packer for eXecutables (UPX), which plants another binary containing a 13-position "Ceasar shift."
Nazario, in his blog post writes that once the analysis is over, it'll become visible to the end-users that White Lotus backs proxy characteristics too.
He states, apart from it being a typical Hypertext Transfer Protocol (HTTP) DDoS malware, White Lotus is seemingly distributed in a limited amount through only a few new servers and samples.
Finally, it's not just the White Lotus botnet that Arbor Networks has detected recently. During the first week of April, the company detected TT-Bot as well, which's also a HTTP DDoS malware with seemingly limited use.
Related article: Airport Website Used To Attack NAB Customers
» SPAMfighter News - 22-04-2010