The Cash Factory: Executive Summary

Kaspersky Lab, a leading producer of security content management systems has released its latest article, The Cash Factory. The article takes readers through the process of creating a botnet, starting with what appears to be a harmless spam email which actually leads to the identification of a sophisticated scheme used to create and run botnets.

The article is authored by Sergei Golovanov, Senior Malware Analyst, Igor Sumenkov, Head of Kaspersky Lab's Content Filtering Infrastructure Development Group, and Maria Garnayeva, Malware Analyst.

Botnets are networks of computers infected with malicious programs by bots. These botnets are remotely controlled by cyber criminals and provide them with the ability to launch mass DoS attacks, mass mail spam and perform other malicious activity. The legitimate owner of an unprotected computer often does not know that his machine has become part of a botnet, since bots usually run unnoticed in the background.

The objective of these cyber criminals is to create and run large botnets that generate a large income. That is why they strive to find the perfect tactics to use and control bots to ensure rapid, widespread infection and maximum profits. Their sophisticated techniques are revealed in this article.

Research into the botnet creation process began when content filtration experts at Kaspersky Lab began receiving what looked like an ordinary spam email. The email contained hyperlinks to numerous legitimate websites. The links lead to a range of sites but ultimately followed the same path to files on servers.

In-depth analysis revealed that these web pages redirected users to the sites that were advertised in the spam emails. This technique – the absence of any direct links to spammer websites – is frequently used in order to bypass filtration technologies which check links against blacklists of Internet addresses associated with spam.

Kaspersky Lab analysts decided to investigate how such a large number of legitimate sites could be hacked. Their research led to the discovery that certain pages on compromised legitimate websites redirected users not only to spammer websites, but to hacker resources as well. These resources contained exploits that take advantage of vulnerabilities in a variety of commonly used applications and install the malicious bot Backdoor.Win32.Bredolab.

The article also describes some of the features of Backdoor.Win32.Bredolab, such as its ability to evade detection when attempts are made to run it in a sandbox, and how it can provide cyberc criminals with remote administration capabilities. When an appropriate command is received from the control center, the bot downloads a Trojan designed to steal passwords to FTP clients used to manage website content.

Analysts monitored the bot. After some time, Backdoor.Win32.Bredolab resumed downloading malicious programs, including utilities used to conduct mass mailings, the network worm Koobface, and a rogue antivirus program. The question of how websites were compromised was solved: users were redirected to spammer sites as the result of website content being modified. This was made possible using passwords stolen by the Trojan installed by the bot. Computers used to view compromised sites were infected by the bot, and the infected machines joined to form a botnet that downloaded malicious programs and acted on other commands from the command and control center.

The case of Backdoor.Win32.Bredolab illustrates the types of technologies and methods used by cyber criminals to create botnets, conduct mass mailings, and perform other malicious activity.

To view the full version of The Cash Factory, visit viruslist.com.

The material can be reproduced provided the author, company name and original source are cited. Reproduction of this material in re-written form requires the express consent of the Kaspersky Lab PR department.