Dismantling a Nuclear Bot

Dennis Schwarz

A recent tweet mentioned that a new banking malware called “Nuclear Bot” has started to appear for sale on underground marketplaces. Its price starts around $2500 which is more than double the price of another recent entry to the market. This post dismantles a sample of this malware to determine whether we need to take […]

On the Economics, Propagation, and Mitigation of Mirai

ASERT team

By Kirk Soluk and Roland Dobbins In late November of 2016, a new Mirai variant emerged that leveraged a propagation mechanism different from the Telnet-based brute forcing mechanism originally provided in the leaked Mirai source code. This new variant exploits vulnerable implementations of the TR-064/TR-069 protocol used by ISPs to remotely manage their customer’s broadband […]

FlokiBot: A Flock of Bots?

Dennis Schwarz

In early October, Flashpoint released an analysis of an underground forum advertisement for a new malware family known as FlokiBot. It took some time before a sample was found in the wild, but a researcher known as hasherezade flagged one on VirusTotal in early November. She also wrote an analysis of its dropper here. This […]

Mirai IoT Botnet Description and DDoS Attack Mitigation

Changes from previous version:  Removed erroneous Mirai bot backdoor reference (miscommunication regarding Mirai C&C API listener on TCP/101); added Dyn post-mortem link; refined descriptive verbiage. Authors:  Roland Dobbins & Steinthor Bjarnason Since its inception in August of 2016, the Mirai ‘Internet-of-Things’ (IoT) botnet, comprised largely of  Internet-enabled digital video recorders (DVRs), surveillance cameras, and other Internet-enabled embedded devices, has […]

The Great DGA of Sphinx

Dennis Schwarz

This post takes a quick look at Sphinx’s domain generation algorithm (DGA). Sphinx, another Zeus-based banking trojan variant, has been around circa August 2015. The DGA domains are used as a backup mechanism for when the primary hardcoded command and control (C2) servers go down. It is currently unknown to us as to what version […]

Panda Banker’s Future DGA

Dennis Schwarz

Since we last visited the Panda Bankers at the malware zoo, two new versions have emerged: 2.2.6 and 2.2.7. While sifting through the encrypted strings of the latest version, two interesting ones stood out: dgaconfigs DGA, download “%S”. Tracing the first one through the code does indeed lead to a DGA or a domain generation […]

Who Let the Pandas Out? Zeus, Zeus, Zeus, Zeus

Dennis Schwarz

A few months ago Proofpoint released a blog post about a new banking trojan called Panda Banker. They credit Fox-IT with the discovery and both companies indicate that it is another variant based on the Zeus banking trojan source code. Under the hood Panda Banker certainly feels Zeus-like, but it has plenty to distinguish itself […]

Estimating the Revenue of a Russian DDoS Booter

Dennis Schwarz

At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS […]

Amplifying Black Energy

ASERT team

Click here to download the full report. The Black Energy malware family has a long and storied history dating back to 2007. Originally a monolithic DDoS platform, significant advancements were made in 2010 including support for an extensible plugin architecture that allowed Black Energy 2 to more easily expand beyond DDoS into other activities such […]

Peeking at Pkybot

Dennis Schwarz

For the past few months ASERT has been keeping an eye on a relatively new banking malware (“banker”) known as “Pkybot”. It is also being classified as a variant of “Bublik”, but the former is much more descriptive of the malware. This post will take a peek at some of the bits and pieces of […]