viernes, 11 de mayo de 2012

CHINA BOTNET: Jack Loader y Super Loader

At cybercrime scene there is a new class of botnets networks origin from China. This zombies networks is quite advanced and are spreading silently infecting thousands of computers, mainly from Asian users, collecting information from the infected users for long time until they are disabled.


The first of these botnets that was detected is known as JACK LOADER . Is called of this way because appears with this name at the login screen on the control panel. Malicious botnet infrastructure were hosted on the domain justnewleft.ru



The first signs of this botnet is back near the end of 2010.

About this time already had news of this threat in the security Web portal Threat Experts:

http://www.threatexpert.com/report.aspx?md5=2c663f625c64dba6ce117097aefba658

you can see the connection string of the Trojan with its control panel:

hXXp://justnewleft.ru/list.php?c=D4CC5384AF198428FA1DAB838ECB6DBCEC750C370125933A3B021A4F2B875E67437D0E137007721CA2DB5AC086C3795BEF159067CFB62273A9DD

At that time the domain were located at IP 122.224.5.167. IP belonging to the ISP Ninbo-LANZHONG-LTD of China

Once accessed at control panel that commands full botnet network most of zombie machines could be seen that the infected users were from Asian countries mostly.



Malware propagation started by visiting the infection vector :

hxxp :/ / justnewleft.ru: 888/build.sub.php ---->

That redirected user navigation to the malicious Iframe:

iframe src = "hxxp :/ / build.j-loader.com: 88 /" frameborder = "0" height = "600" width = "100%" scrolling = "auto"

From this Panel criminals could configure a battery of downloading malware on the infected machine according to the desired parameters:

Control Panel has other features of command & control over the victim's machine, such as capturing user's confidential data by using a control keylooger and Logs section (LOG VIEWER). It can also control and modify the DNS records on the infected computer to perform pharming attacks (DNS HIJACK)



Below is showed files structure of the Kit of the Control Panel of this Botnet JACK LOADER:


Subsequently, the botnet has been migrated to other sites hosted in China but keeping all the same structure of control and Infection:

Other address where it was hosted and actually inactive was:

hXXp://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3969C0DCE4CA8D5FF5F6CFDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C

The domain nucleardiscover.com were hosted as IP 60.190.223.60 belongs to same provider LANZHONG Ninbo-LTD of China

At present this threat is active again, appearing with a new name called SUPER LOADER as observed in the control panel access screen:




This new version is located in the domain zhongmail.com hosted at IP 210.83.81.173 belonging Xiangrong-Technological provider in China.

Trojan connection vector that communicates with botnet main server and receives orders is

hXXp://zhongmail.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B2869F1DCE8CA835FF2F6D9DFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.2545435

Malicious Control Panel is reachable also at URL:

hXXp :/ / 210.83.81.173:888 /

This new fraudulent server has control of all IP addresses that visits the Panel, blocking them if is detected anomalous activity.

You can get more information from the threat of page Threat experts:

http://www.threatexpert.com/report.aspx?md5=e18cfb9da7037bc641a4173575b13f16

still is possible to download the binaries that initiate infection from the actives address:

hXXp://122.224.18.20:88/ttbb.txt


hXXp://122.224.18.20:88/sbjb.txt

hXXp://122.224.18.20:88/a8.txt

hXXp://122.224.18.20:88/tn.txt

This all .Txt files are in reality malicious binaries that infect user's computer

No hay comentarios:

Publicar un comentario en la entrada

Nota: solo los miembros de este blog pueden publicar comentarios.