Back to Home

“Cross at EITest”: how to eliminate the largest network for the spread of viruses / 1cloud.ru Blog

1cloud · IB · EITest · botnet

“Cross at EITest”: how to eliminate the largest network for the spread of viruses

    The EITest botnet consisted of more than 52 thousand servers and cybercriminals used it to spread malware. Corporate security specialists from Abuse.ch, BrillantIT and Proofpoint, managed to synchronize (redirect traffic to a fake web server) of the EITest network management infrastructure and neutralize it.

    We will tell about how EITest came about and how it was managed to be “covered up” under the cut. / The Flickr / of Christiaan Colen / CC




    A bit about EITest


    The EITest botnet was considered the “king of traffic distribution” and was used by cybercriminals to spread exploits and redirect users to malicious sites and phishing pages.

    EITest entered the cybercrime market in 2011. At first, the creators used it for their purposes - mainly for routing traffic to sites with their “homegrown” set of Glazunov exploits (he infected devices with the Zaccess Trojan ).

    At that time, the EITest network did not pose a serious threat. However, by the end of 2013, the attackers “pumped” their infrastructure and already in July 2014 began to lease the EITest to other malware creators.

    As noticedone of the Proofpoint experts, the EITest team began selling intercepted traffic from hacked sites for $ 20 per thousand users. Moreover, the minimum block for the transaction was 50 thousand users.

    Since then, EITest has become the daily “pain” of information security experts: the network spread a huge number of ransomware viruses from different families and redirected traffic to exploit resources (including Angler and RIG ). It was recently noticed that EITest sent users to sites with fake updates , font packages and browlock viruses .

    Proofpoint experts estimated that the malicious network consists of 52 thousand servers located in the USA, Brazil, Great Britain, Kazakhstan, Australia, China, India, South Africa and other countries. The highest concentration of hacked servers was noted in the USA, Australia and China. From March 15 to April 4, 2018, these servers processed about 44 million requests.

    How to "neutralize" the network


    At the beginning of the year, BrillantIT specialists were able to discover a method for connecting infected sites to the management infrastructure. Analysis of the system showed that C & C domains were formed on the basis of stat-dns.com. This domain was redirected to a different IP address, and four new EITest C & C domains were generated.

    By creating new domains, experts were able to replace the malicious server with a synchole. Now it receives traffic from all compromised sites with backdoors, and their visitors are not threatened by malware and the introduction of third-party code. The network structure and the location of the “security server” in it can be found on the diagram provided by Proofpoint (available here ). Information Security Specialists Prevented2 million potential conversions to malicious sites per day.

    Proofpoint reports that after the “interception” of EITest, cybercriminals turned off C & C proxies. However, the researchers still found a number of encrypted requests to the sync server, which can be regarded as attempts to seize control of the network (due to the commands contained in them). However, experts have no evidence that these were the owners of EITest.

    The teams Abuse.ch, BrillantIT and Proofpoint said they would continue to monitor EITest activity so that hackers could not restart their traffic distribution system.


    / The Flickr / of Christiaan Colen / CC

    Another big case


    According to the Independent, in December 2017, another large malicious system, the Andromeda botnet (or Gamarue), was neutralized.

    The botnet was first discovered in September 2011 and has since become a serious threat. Its creators sold toolkits that allowed customers to deploy their custom infrastructure to steal user data and install malware on the machines of the “victims”.

    It took specialists a year and a half to find and neutralize the Andromeda C&C servers. In the "destruction" of infrastructure involved Germany, USA, Belarus. Representatives of Microsoft even joined the investigation.

    Microsoft saysthat the Andromeda botnet distributed over 80 types of malware, including Petya, Cerber, Kasidet and others. According to researchers, he infected 1.1 million systems every month through social networks, email and instant messengers.

    Related posts from our corporate blog:

    Read Next