New Botnet - With Pictures - Enjoy!

The Storm worm was very active over Christmas and new year, which has strengthened their bot network, which we believe could potentially contain hundreds of thousands of drone machines.

This appears to be one of the worst botnets currently working and known.

This doesn't mean of course that other minor botnets don't exist, even with only few hundred zombies. And this doesn't necessarily mean that they can't be dangerous.

DDoS, phishing (see Storm botnet - used during these days to host phishing website) are only two of the possible uses of a botnet.

We've just isolated a new relatively small botnet. It looks like it has only been open for two days but it's already well populated. Total zombies are 8919 but number is increasing every hour.

8919 zombies, around the whole world, aren't so many if you compare them with Storm botnet, but they can be quite dangerous.

Let's play with some numbers: assuming a common 1mbit/s upload bandwidth for every zombie inside the botnet (that doesn't necessarily mean all zombies has 1mbit upload bandwidth, someone could have more, someone less) the owners of the botnet have potentially in their hands a 9Gbit/s connection to use as their want.

9Gbit/s of bandwidth can be really harmful to servers. Just to compare, Castlecops was taken down by a 1Gbit/s DDoS attack. And, even if they wouldn't have all the zombies online at the same time, still 500/600 Mbit/s can be a nightmare for every network administrator.

The backdoor used to populate this botnet is copied inside the system as win32.exe, under

%sysdir%\drivers\win32.exe

%userprofile%\ntuser.exe

and a dll is extracted from the dropper and copied as msftp.dll, under

%sysdir%\msftp.dll

%userprofile%\msftp.dll

Then the library is injected inside processes and it starts logging ftp credentials which are then written inside a file called C:\ntload and uploaded on the main server.

The main executable remains active listening on TCP port 9988.

We already detect the executable as Backdoor.Generic and the dll as Trojan.PWStealer.

Below are some screenshots of the botnet admin console. Enjoy.

Below - Picture of the live counts seperated by country

And here we can see some live graphs of the spread of the botnet