Dr. Web Grabs Control of Backdoor Botnet from Cybercriminals
Russian security firm Doctor Web has managed to take control of a botnet nicknamed BackDoor.Bulknet.739. At its peak the botnet had the potentiality to malign more than 100 computers per hour.
The Trojan, as accords to Dr. Web, enhances the sending of huge amounts of junk emails from infected machines. The Trojan was first analyzed by Dr. Web's researchers in the October of 2012. They found that the malware was being utilized to connect machines into the botnet and thereby allow criminals to execute spamming.
As the malicious code is executed in a hijacked machine, a downloader is grabbed, and then another program, found by Dr. Web as BackDoor.Bulknet.739, downloads BackDoor.Bulknet.847. The program utilizes its hardcoded encrypted catalog of domain names to get an address to download the module used for spamming.
In return, the Trojan receives the site's web page and parses the HyperText Markup Language or HTML code in place for the image tag. The prime BackDoor.Bulknet.739 module has its encrypted code fixed within the image tag pair. The module is manufactured to send huge quantities of junk e-mails.
Interestingly, addresses to send spam, template file outgoing messages and the configuration file BackDoor.Bulknet.739 obtains from the remote server. To contact intruders BackDoor.Bulknet.739 uses binary protocol: it is capable of performing a set of instructions received from intruders, especially the command to update, a list of addresses to send spam, download new samples of letters or a directive stopping distribution. In the case of self-denial Trojan can send a specially created malicious report.
The specialists of Dr. Web however learned to catch one of the botnet control servers BackDoor.Bulknet.739 and gather some statistics with their growth from 2 to 5 April, 2013 can be observed.
V3.co.uk on April 8, 2013 published that BackDoor.Bulknet.739 botnet mainly hits machines located in France, the USA, Italy, Mexico Turkey and Thailand," said a Doctor Web researcher. The least quantity of hijacked hosts is found in Australia and Russia, he adds.
Dr Web noted that Internauts using Windows XP and Windows 7 Oss' were heavily affected by the malware, registering 42% and 52% of the known infections, respectively.
Related article: Dr. Web Finds Fresh Version of Trojan Rmnet
» SPAMfighter News - 17-04-2013