BotnetWeb – Part 2

The security industry is waiting eagerly for Finjan to release more technical details about their recent discovery of a multi-million sized botnet.  I got a chance to speak with Fijan's representatives at RSA on April 23rd.  I asked them about this new un-named / un-identified botnet, Unlucky me, Finjan couldn't give any more information, saying that currently they are working with law enforcement agencies so they are not in a position to talk more on this right now.

This did not stop me from carrying my investigation further.  I need to assess the severity of this threat myself and have to make sure that our customers are protected against this particular threat.  As far as I'm concerned, it's not cops or other law enforcement agencies that will protect those poor 1.9 million victims, its the job of the security industry.  The challenge in front me was that Finjan did not disclose any clear information which could lead other security researchers to the true identity of this un-named botnet.

There were a few hints in the Finjan report which could be used to explore some hidden aspects of this botnet.  The first hint was that this botnet had been seen to download Hexzone around March 29. I have covered Hexzone in detail in a previous article.  ESET has also come up with a very good write-up about Hexzone here. The second hint was the joebox analysis report.  This report showed a list of additional malware components downloaded by the un-named botnet. 

For a quick re-cap, here is the first GET request as mentioned in the Finjan report:

GET /ploads/eula.exe HTTP/1.1

followed by

GET /ldr/loadlist.php?version=1 HTTP/1.1

A quick look into my sandnet data identified eula.exe as Trojan.VBInject  which itself is a known generic downloader.

Here is a traffic snippet from my sandnet data:

GET /ldr/loadList.php?version=1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
HTTP/1.1 200 OK

Date: Mon, 09 Feb 2009 06:22:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 115
Connection: close
Content-Type: text/html

VBinject reads malware links from the HTTP response and installs them on the infected machine.  These downloads are also visible in Finjan's download report.  My next step was to traverse through all of my sandnet data in an attempt to find out how many malware samples have been seen downloading Trojan.VBInject. As expected, the results were quite interesting.

According to my limited sandnet data there were only two malware samples that ever downloaded Trojan.VBInject. One was Virus.Virut and the other was Trojan.Autoit. I have covered Virut in detail in a previous article where I described it as one of the biggest BotnetWebs, responsible for downloading lots of the other big botnets.  Is Virut the 1.9 million host botnet?  My guess is no.  Virut always relied on Trojan.Injector (another big malware download service) to download further components but in this case the VBInject download link was found to be hard coded into the Virut binary.  This is not the characteristics of a generic downloader/botnet which downloaded VBInject as the result of a botmaster command.

Here is a traffic snippet from that Virut sample while downloading Trojan.VbInject


So we are only left with Trojan.Autoit. Trojan.Autoit is a powerful malware download service and according to my data, it has been seen downloading both Hexzone and VBInject.  A perfect match, isn't it?

GET /0/x.php?hid=531e237606675012bef96b4bef939b8d&mhid=bd1de70c62b17015b639adb2d30f0f0b&version=7&name=Codec_v.1004.1.exe&os=WIN_XP&_=262604330120091 HTTP/1.1

User-Agent: AutoIt v3
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Sun, 22 Mar 2009 08:17:05 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 750
Content-Type: text/html









As one can see, there are multiple instructions in the HTTP response which instruct Autoit to download and install additional malware components.

The URL mentioned under [version] is the updated version of VBInject itself.

The URLS under [download_onconnect] are downloaded each time VBInject connects to its CnC, where as the [download_once] urls are downloaded only once.

Is Autoit the botnet discovered by Finjan?  There is only one problem, according to Finjan the botnet CnCs were located in Ukrain, and the Autoit sample I analyzed was talking to which is hosted in Malaysia.

address:      PIRADIUS NET
address:      Unit 21-3A, Level 21
address:      Plaza DNP 59, Jalan Abdullah Tahir
address:      Taman Century Garden
address:      80300 Johor Bahru, Johor
address:      Malaysia
phone:        +607 334 8605
fax-no:       +607 334 8605
country:      MY
changed:       20071003
mnt-by:       MAINT-MY-PIRADIUS
source:       APNIC

It looks as though all my efforts to track down the unknown botnet were fruitless.  I am still unsure.  On the bright side, in this process I managed to explore few new BotnetWebs and got a chance to verify the BotnetWeb concept based on data from other security vendors like Finjan.

I will try to cover Autoit in detail in my next article, for the time being let's just say Autoit is a BotnetWeb downloading second stage malware as shown below:


Updated version of Autoit itself.


A Trojan which spreads through IM based social engineering.

These are the binaries mentioned under download_once, so there is a good chance that these are pay-per-install malware not owned by the actual botmasters.


AVs are confused on this, so am I.  Nothing can be said about it without a detailed analysis. I'll try to cover it in some future post.


A famous backdoor and downloader know as TDSS.


IRC.SDbot, a famous IRC Bot.


Most AVs are calling this Trojan-Dropper.Win32.Wlord. Nothing detailed from my side right now.


No great intel from my side at this moment, most AVS are calling it a downloader.


A trojan/downlaoder , often seen downloading Rogue AVs.


Trojan.VBInject.  It's discussed in detail in the beginning of this article.



Trojan.Piptea, another powerful malware downloader.



Vundo a.k.a. Virtumonde.


A generic downloader.

The end picture is quite miserable.  Autoit downloaded dozens of other malware components including some of the most power mawlare downloaders like Virut and Trojan.VBInject  which further downloaded more malware components.  Here I try to plot all these downloads in a graphical form to make it easier to visualize.


Here is the Virut graph from my earlier post. Lets integrate it with the Autoit graph and see how the combined graph looks.


One can easily sense the level of cooperation these malware master minds must offer each other.  Maybe it's time for us in the security industry to come closer and show the same level of cooperation. As I always say, there are plenty of bad guys out there to keep us (the good guys) in business :).

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM

4 thoughts on “BotnetWeb – Part 2

  1. FYI, PIRADIUS has popped up several times in my investigations of RBN and Russkrainian cyber crime, so while it is not physically located in The Ukraine, you can bet that the post-RBN Russkrainian criminals involved in this have used PIRADIUS fro several years now.
    - ferg

  2. Found these samples on a customers notebook. The .exe appeared in temp on 12.04. and 13.04. (probably via some porn-site) and are not detected by all AVs I tried.
    The 490700….dll was found at various places in ../Macromedia/Common/ like SilentBanker and was started via RUN and audio-drivers.
    The .drv was found in system32 (60kb larger than original), also not detected by all AVs I tried. The wua…dll was there as well, but is detected by some AVs.
    Could be tracks of a botnetweb-install. ………………..
    Keep your good work!

  3. Here some more details for readers to one of the mentioned .exe, filename was 21ebbf888a25337e.exe
    * Submission details:
    o Submission received: 29 April 2009, 05:50:59
    o Processing time: 6 min 17 sec
    o Submitted sample:
    + File MD5: 0xB30DEC0EC2B496D772B457435F3180C6
    + File SHA-1: 0x624324E5726AC51074362B5E7A0751E9B75CDD3B
    + Filesize: 91,136 bytes
    * The following files were created in the system:
    # Filename(s) File Size File Hash
    1 %Windir%\msacm32.drv 89,088 bytes MD5: 0xA70F58DCC4EF5970F080326DE6A69749
    SHA-1: 0x2DD8EA11FEC0EAC399D264043A5C9AACF5A303B0
    2 [file and pathname of the sample #1] 91,136 bytes MD5: 0xB30DEC0EC2B496D772B457435F3180C6
    SHA-1: 0x624324E5726AC51074362B5E7A0751E9B75CDD3B
    3 %Windir%\wuasirvy.dll 106 bytes MD5: 0xD610CE7D88980283BA5ECA0E15CA6EC9
    SHA-1: 0x4D9238D44DE7E4CA34C33FACA6A1316EF140E30F
    Rescan a few minutes ago:
    File 21ebbf888a25337e.exe received on 04.29.2009 22:55:58 (CET)
    Current status: finished
    Result: 0/40 (0%)

  4. keep up the good work guys, i can’t wait to see more of these articles.

Comments are closed.