The ‘advertising’ botnet
(Publication) Google search: [1]
| The ‘advertising’ botnet | |
|---|---|
| |
| Botnet | Artro |
| Malware | CodecPack, New_bb, BannerBot, PopupBot, HitBot, Oms |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2011 / 20 apr 2011 |
| Editor/Conference | Kaspersky lab |
| Link | https://www.securelist.com/en/analysis/204792172/The Advertising Botnet (Archive copy) |
| Author | Maria Garnaeva, Alexei Kadiev |
| Type | |
Abstract
“ Bots belonging to the Artro botnet are detected by Kaspersky Lab products as Trojan-Downloader.Win32.CodecPack, which has been around since early 2008. However, a full description of its functionality is still not available, so to rectify this, we decided to publish the results of a study we undertook.
The downloader
The Artro botnet was created using a Trojan downloader that is detected by Kaspersky Lab as Trojan-Downloader.Win32.CodecPack. The Trojan is protected by a packer with heavily obfuscated code. As a rule, packers are used to prevent the detection of a packed malicious program rather than to protect its code from analysis, and this piece of malware is no exception: unpacking it is a relatively easy task. When unpacked, the WinMain function of different Trojans usually looks more or less the same. In this case, however, the malware authors tried to obfuscate their code by inserting large numbers of superfluous instructions in order to make the code harder to analyze.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR918,
editor = {Kaspersky lab},
author = {Maria Garnaeva, Alexei Kadiev},
title = {The ‘advertising’ botnet},
date = {20},
month = Apr,
year = {2011},
howpublished = {\url{https://www.securelist.com/en/analysis/204792172/The_Advertising_Botnet}},
}