Win32/Sality newest component: a router’s primary DNS changer named Win32/RBrute

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Win32/Sality newest component: a router’s primary DNS changer named Win32/RBrute
Botnet Sality
Malware RBrute
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2014 / 2014-04-02
Editor/Conference ESET
Link http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/ (Archive copy)
Author Benjamin Vanheuverzwijn
Type Blogpost

Abstract

Win32/Sality is a family of malware that has been using a peer-to-peer botnet since at least 2003. It is a file infector and a trojan downloader, the latter of which is mainly used to send spam, although it has been used for different purposes such as faking advertising network traffic, distributed denial of service or VoIP account cracking. All commands and files exchanged through Sality’s P2P network are digitally signed, making it resilient to protocol manipulation. Its modular architecture as well as the longevity of the botnet shows good programming practice and an efficient software design.

We’ve been tracking Win32/Sality network for quite some time now and seen more than 115 000 IP addresses reachable from the Internet using so-called “super peers,” which keep the botnet alive and propagate commands to regular peers.

We have seen the same components downloaded over the years with little change to their underlying behavior. Lately, a new component has now appeared with some novel characteristics: the ability to change a residential broadband gateway router’s primary DNS address, which is different from the usual FTP password stealer or spambot deployed by Win32/Sality. According to our telemetry data, this component was dropped for the first time at the end of October 2013. It was first publicly discussed by Dr. Web, who has published a technical analysis of one component, the IP address scanner. They named it Win32/RBrute.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR1380,
   editor = {ESET},
   author = {Benjamin Vanheuverzwijn},
   title = {Win32/Sality newest component: a router’s primary DNS changer named Win32/RBrute},
   date = {02},
   month = Apr,
   year = {2014},
   howpublished = {\url{http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/}},
 }

Retrieved from "https://www.botnets.fr/index.php?title=Win32/Sality_newest_component:_a_router’s_primary_DNS_changer_named_Win32/RBrute&oldid=4653"