The content of the article
Nowadays, you won't surprise anyone with a botnet: they are found all the time, and the infection underlying them is easily cleaned out by an antivirus – thanks to the club-handed authors who collect malware on their knees from humus and sticks. But it happens that the pros start writing virus, and then the damage becomes colossal, and the war against malware is protracted and interesting. In this article I will break down such stories, some of which are not over yet.
It is unrealistic to cover all even the most interesting epidemics in one article, so I have selected only eight of the most representative cases. And even to describe them in all details will not work, so I immediately warn you that some details may be omitted – intentionally or not. Keep in mind that the situation around active Trojans may well change from the moment this article was published.
- A brief description of: banking trojan
- Years of life: 2007 – present
- Number of infections: more than 13 million
- Distribution method: exploit pack
- Spread: 196 countries
- Damage: over $ 120 million
Our hit parade is opened by Zeus, but not at all the one who sits on Olympus among the gods. This banking Trojan is so widespread that it has become the number one most wanted botnet in America. Estimated
sofa analysts, it was used in 90% of all banking fraud cases in the world.
At first, several hundred scattered botnets were created on the basis of ZeuS, which were controlled by various gangs of cybercriminals. The author or authors of the bot simply sold the builder to each counter and cross, and they made their own botnets out of it.
Everyone distributed the bot as best they could – for example, in 2009 one of the groups carried out a large-scale Zeus mailing through the Pushdo spam botnet. Damballa estimated that 3.6 million PCs were infected in the United States alone. In total, more than 13 million computers have been infected since the inception of Zeus.
The developer Zeus was originally known under the nicknames Slavik and Monstr, and it was he who independently sold and supported the bot in 2007-2010. This continued until version 2.0, when in October 2010 Slavik handed over the raw version 2.0 to the developer of the SpyEye Trojan and, according to legend, stopped development. But, according to RSA, the original author did not go anywhere, and the transfer of the code was a distraction.
In August 2010, that is, two months before the official announcement of the termination of work on Zeus, specialists discovered a botnet created on Zeus version 2.1, which was not sold on any underground forum at that time. From this, we can conclude that the author simply changed the business model and decided to form his own botnet, and not sell the bot builder to everyone.
One of the main features in Zeus 2.1 is that the communication scheme with control servers has changed: now server addresses were created using DGA (Domain Generation Algorithms). To protect against interception, the signature of the file downloaded during the update was checked (RSA-1024 signature was used).
Some researchers refer to the innovations of this version as the appearance in September of the ZeuS-in-the-Mobile (ZitMo) assembly for Android, Windows Mobile, BlackBerry and even Symbian. The newly minted Trojan worked in conjunction with the "regular" desktop version of Zeus and allowed to bypass the 2FA of online banking. According to Check Point Software and Versafe, by the end of 2012, a ZitMo assembly called Eurograber brought its owners a profit of about 36 million euros (about 47 million dollars at the time).
Someone was either greedy or leaked the Zeus 188.8.131.52 source code to the left, but the fact remains: the sources of the almost actual version of Zeus hit the dark web, it was February 2011. And then either there were no buyers, or the seller was hacked – in May the source code was published. This event became, I think, the most significant for the hacking world in 2011.
Separately, it should be said about the HVNC module (H stands for Hidden). This is an implementation of a VNC server, but it interacts with a virtual desktop that the user cannot see. Later, based on the merged sources, the HVNC module was redone into a separate project.
After the leak, "craftsmen" immediately appeared, starting to rivet their Trojans from Zeus sources, which sometimes were Zeus clones a little more than completely, including the admin panel. But there were also more worthwhile crafts – for example, the project Citadel… Its main feature was the creation of an online platform similar to modern GitHub. Here customers could request new features, report bugs, and add their own modules. In short, development has become interactive and has made a lot of money for its admins. Customers were even provided with technical support – it included, for example, keeping Citadel up to date to bypass fresh anti-virus protection.
In the fall of 2011, a researcher named Roman Huessi (who was studying Zeus), while researching one of the Zeus variants, noticed strange UDP traffic. Further analysis showed that the new Zeus variant had several IP addresses in the configuration block and computers with these IPs responded to the infected system. During the day, about 100 thousand unique IP addresses were identified, with which the new modification contacted, most of them were located in India, Italy and the USA.
It turned out that Zeus has got peer-to-peer update functionality based on the Kademlia protocol. Due to the use of the script name
gameover.php this version was named GameOver.
In early 2012, another Zeus GameOver variant was discovered: it contained a built-in nginx server to interact with other bots via the HTTP protocol. From that moment on, each bot could act as a proxy for communication with the original C&C, and protection from the distribution of "updates" by specialists on the other side of the barricades was provided by the same file signature. The GameOver version turned out to be very tenacious and is still active.
More than 74,000 hacked FTP servers, spam, fraudulent tech support scams, exploits and even social engineering on social networks were used to distribute the bot. In short, the whole gentleman's set.
Later, information appeared that the FBI, together with specialists from about a dozen countries, revealed the group behind the creation of Zeus. All of its members were put on the wanted list, including and the alleged organizer is a certain Evgeny Bogachev. According to the FBI, Bogachev lives in Anapa and owns a yacht. A record amount of 3 million green American rubles is offered for his head! Since then, little has been heard about Zeus updates: the author, apparently, has gone to the bottom, and there is no progress in the search at all. Let's wait for the news.
When I say "we hear a little about updates," I mean that the original Zeus was actually no longer supported, but in 2015 its new interesting modification appeared – it was called Sphinx. Its panel is not particularly different, but inside it is a new Trojan, well revised by unknown authors. Now, due to the coronavirus, it is especially active and is spreading through social engineering. To cover up, they used a fake Kaspersky Lab signature and a self-made certificate.
The cure for Zeus is very difficult: it successfully bypasses antiviruses using polymorphic encryption, infects many files and is constantly updated. The best medicine is to reinstall the infected system, but if you want to, you can try to find and cure infected files, of course, without any guarantees of success.
- A brief description of: email worm for spam and DDoS
- Years of life: 2007-2008
- Number of infections: about 2 million
- Distribution method: spam
Storm (AKA Zhelatin) was first seen in early 2007 and sent out disguised as recordings of the destruction caused by severe storms in Europe. From the very beginning, the bot used social engineering in letters, and even such "news" as the resurrection of Saddam Hussein were indicated as bait in the topic. But if SI were the only feature of the Storm botnet, it would not have made it into our collection. For its time, Storm was probably the most technologically advanced malware. It implements a decentralized P2P control system based on the Overnet protocol (based on the eDonkey network) and server-side polymorphism.
Server-side polymorphism was previously only used in the Stration botnet, which was first spotted in 2006. Subsequently, there was a short and not particularly interesting war between this botnet and Storm over users' computers. However, at one point, Storm made up 8% of all malware on Windows computers.
In July 2007, at its peak of growth, the botnet generated about 20% of all spam on the Internet, sending it from 1.4 million computers. He was engaged in the promotion of drugs and other medicines: both relatively legal, like Viagra, and prohibited.
At about the same time, attempts were noticed to split the botnet into several distinct subnets. Perhaps the authors wanted to sell access to the infected machines piece by piece to interested parties. One way or another, nothing came of it.
The botnet was rather brutal in protecting its resources from overly curious researchers. When they found frequent requests from the same address to download bot updates, which antivirus companies like to do, the bots launched a DDoS attack on this address. In addition, websites of companies that prevented the botnet owners from doing their dirty work were attacked with varying success. For example, DDoS attacks disrupted the operation of the Spamhaus, SURBL (Spam URI Realtime Blocklists) and URIBL (Realtime URI Blacklist) services for a short time. This was necessary to prevent anti-spam solutions from updating databases and blocking mailings.
At some point in terms of total performance, the PCs infected by the "Storm" bypassed the then supercomputers. Imagine the power that the owners of the Storm had in their hands! If they decided instead of spamming to do parallel computing … But let's not talk about sad things. Cryptocurrencies, which you, of course, thought about mining, at that moment were not yet born from the ideas of Satoshi Nakamoto, so there was nothing to mine. It's a pity. In the role of a malicious miner, the botnet would look much more interesting in our selection.
It would have gone on like this, but at the end of 2008, the botnet disappeared as if by magic. Kaspersky Lab believes that this happened because of the closure of the Russian Business Network, a criminal abusive hosting company from Russia. According to another version, which seems more realistic to me, Storm was destroyed by the forces of security researchers. At the Chaos Communication Congress (December 2008), a group of hackers showed the Stormfucker tool, which, using a bug in Storm, independently spread through the Overnet network and cured infected computers. And at Microsoft, as usual, what is happening is interpreted in its own way: they believe that the Windows update helped to get rid of the botnet. On one thing, the experts did not agree.
Of course, the place in the sun is usually not empty, and with the death of Storm, a new botnet from the Waledac Trojan appeared. Although the code was completely different from its predecessor, Waledac suspiciously resembled Storm in some ways: Fast flux C&C hosting, server-side polymorphism, spamming features and P2P update mechanism. Even the spam email templates were almost identical to the templates from Storm. Waledac advertised the same merchandise from the same vendors as Storm. A visual demonstration of how one botnet hides behind and is immediately replaced by a new one.
Storm seemed like a ghost until a new variant was discovered by members of the Honeynet Project in 2010. Approximately two thirds of it consisted of the code of the first variant: 236 out of 310 functions of the worm remained unchanged. A piece responsible for peering flew to the trash heap (it seems, because of Stormfucker), and the protocol for communicating with C&C was changed to HTTP (earlier – sockets to TCP). Fortunately, Storm 2.0 was not as widespread as its older brother, which could have happened due to the transfer of the raw first version to another development team.
It was relatively easy to notice the symptoms of infection if you monitored the attempts to start processes. Usually the malicious processes were called
gameX.exe, where X is a number. The following options are possible:
game0.exe– backdoor and bootloader in one bottle, this process launched the rest;
game1.exe– SMTP server for sending spam;
game2.exe– stealer of email addresses;
game3.exe– module for sending spam;
game4.exe– DDoS utility;
game5.exe– the process of updating the bot.
The code was run by a rootkit from
%windir%system32wincom32.sys, which made it possible to bypass some of the protective mechanisms. Although the rootkit code in the kernel does not care about any protection, after all, knocking out something from the kernel, even knowing its internal structure, is not at all as trivial as it seems.
Also, the rootkit did not hesitate to counterfeit anti-virus programs so that the user would think that the protection was working properly, despite the fact that it did not work at all.
Thus, Storm became one of the first commercial ready-to-use spam tools. Although it did not last long, it showed the way to other attackers who began to act in a similar way.
Continuation is available only to members
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the "Xakep.ru" community.
Join the Xakep.ru community!
Membership in the community within the specified period will open you access to ALL materials of the "Hacker", will allow you to download issues in PDF, disable ads on the site and increase your personal cumulative discount!
I am already a member of "Xakep.ru"