Blog

Harnig Botnet: a retreating army

Rustock is not the only botnet which suffered from the recent take down by Microsoft. It appears that Harnig (a.k.a Piptea), a close relative to Rustock, is retreating as well. There is no evidence that someone is trying to shutdown Harnig. It looks like a decision made solely by the bot herders. Why? I'll talk about it shortly.

Harnig is considered to be a very wide spread pay per install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system. In return for this favor, the owners of other malware families pay the bot herders a little sum, normally a few cents per machine. When it comes to pay per install networks, the type and amount of malware being dropped can't easily be determined. What matters is, who and when someone is paying the bot herders. But things between Harnig and Rustock were quite different. There has been a long term relationship between the Harnig and Rustock botnets. For the last 2 years or so, Rustock has almost always been seen being spread through Harnig. Very rarely will one see Rustock using some other infection vector or pay per install network to propagate itself.

Harnig

One can see from the above screen shot that the Rustock installation is the result of a chain reaction:

Harnig –> Downloader.DigiPog (Rustock Installer in plain text)—> Rustock Spam Engine (semi-fake Password protected 'rar' file containing Rustock Driver file).

At FireEye labs, we monitor the activities of different botnets on a 24/7 basis. Around March 17th, I found that all of the Harnig's C&Cs suddenly stopped responding, returning '404 Not Found', to their zombies. The last time I saw Harnig successfully talking to its C&Cs was Mar 17th 12:45 PM PST. At that time, I saw it downloading different malware onto the infected machine including SpyEye, Zbot, Ertfor etc. but there is no movement after that at all.

 

Harnig_1

Note: Unusually, the above list doesn't not include Rustock.

I must say that this was quite surprising for me. Apparently there was no immediate danger to the Harnig botnet. No one was really going after it but it looks like the Harnig and Rustock operators must have been very close to each other such that a hit on Rustock panicked the Harnig bot herders and they felt that they better go underground for a while. Keeping in view the timing of this sudden shutdown and Harnig's obvious relationship with Rustock, it can't be a coincidence,

That's great news. It looks like the Rustock take down unexpectedly killed two birds with one stone. We all know that the Rustock take down has decreased the volume of spam worldwide, but now Harnig's shutdown will have a significant impact on worldwide malware infection levels.

It's an open question if this is a planned move in order to buy the bad guys some time so that they can regroup. Unlike Rustock, Harnig C&Cs are not taken down.  These are probably still under the control of bot herders. It's just that the bad guys have wiped out their server components from these servers, possibly along with any other traces which they think might lead to them.

Let's see the geo locations of the Harnig Command and Control servers just before these were turned off. This graph is plotted based on data collected from FireEye MAX Network during last 30 days.

 

Geo

One can see that unlike Rustock, Harnig's C&Cs are spread all across the globe. Based on my own experience, I can say with confidence that shutting down Harnig can't be as easy as we saw in case of Rustock where almost all of the C&Cs were located within USA.  It's amazing that, in spite of the fact that most of these C&Cs are located in safe heavens, the bot herders still chose to suspend all of their malicious activities.

It will take some time to find out the real intentions behind this move but note here that the bad guys abandoning their C&C servers is not something new. It also happened when FireEye got hold of some of the Pushdo C&C that forced the bot herders to abandon all of their C&Cs world wide. That was the end of Pushdo.B variant, it has never been seen in the wild again. Another interesting story which I would like to share with you today is that right after the Pushdo.B shutdown, FireEye received an email from a guy claiming to be Pushdo bot herder. The contents of that email were quite interesting.

 

Subject: hi dudes IT'S PUSHDO OWNER

From: Dick Matrix [fireasseye@yahoo.com]

"what fuck do you want from me?
to close my botnet? why? you will leave yourself and antivirus companies without work ;-)
You want to find me? Useless. My country is loyal to botnets. And i will not ever visit USA ;-)
There are a lot of much more dangerous bots in the world then my harmless pushdo. Like fake antispyware, carders bots, worms and other shit.
Can you please tell me, what is the aim of your investigation? To waste money?"


One can see that it has never been a pleasant experience for a bot herder to see his work being destroyed. But spam has never been a pleasant experience for any of us. 

Let's come to the few important question now:

Will Rustock be able to recover its existing zombie base?

Well technically speaking it can be done easily, if one sees that on an infected machine, Rustock always exists with its beloved friend Harnig which can always drop a brand new instance of Rustock on the existing systems. It doesn't matter if all the current Rustock C&Cs are null routed and/or Microsoft has registered fallback domains for next 100 years. But practically what we are seeing is that the bot herders are so afraid that they running and not even trying to look back. I must say that's the power of the US judicial system. But things can change in the near future. There is a great chance that Harnig will soon resume its activities and this is just a temporary suspension. It will be interesting to see at that time if it drops new Rustock instances onto the infected systems or not.

Can the Rustock owners ever be prosecuted under the law?

I guess there is a very slim chance. Unless the bot herders are identified and make a mistake like Oleg Nikolaenko (master mind behind mega-d botnet) did by visiting the USA.

It is said that the best defense is a good offense. I am sure the bad guys are feeling the heat now. After recent legal actions, even if the bad guys keep on operating from the dark corners of the Internet, they will be more cautious and defensive. I hope the legacy of the Ozdok and Rustock shutdowns will be continued. Let's dream of a malware free Internet.

Atif Mushtaq