Propagation Of The 5 Year Old Bot

· Read in about 3 min · (472 Words)

5 Year Old Bot Still In The Wild | Quttera blog


We have encountered a 5-year-old malware while cleaning up one of our customer's website. The malware used a drive-by download method to infect the users.

What is Drive-by Download?

The drive-by download is an attack vector wherein the users are downloading the payload without their knowledge or consent. It usually happens during the visit to an infected site, reviewing an email or by just clicking a popup advertisement.

What does the payload do?

The malware payload varies from time to time, depending on the attacker’s goal. Usually, the GOTO application of this type of infection is Bots. Once the system is infected, hackers can take control of the compromised computers to use them for the illegal purposes, - e.g. advertisement (ads click fraud), user data encryption (ransomware) to later demand a ransom, etc…

Dissecting the Malware

The site contains a regular code, but when you scroll it down after the HTML tag, you will notice that the site has been hijacked.

Website hijacked |  Quttera blog

The “4D5A” letters on the screenshot could be easily identified as a PE (Portable Executable) File by a Malware Analyst. If you convert it from ASCII to HEX it will look like this:

PE(Portable Executable) Malware | Quttera blog

After the conversion, the file will display the strings “.UPX0”, this only means that the file is still packed but can still be executed, we unpacked it nevertheless so that we can check for strings on file.

PE(Portable Executable) Malware | Quttera blog

After unpacking, we were not able to see any unique identifiers for the file aside from the API's that the file used. A quick search on the VirusTotal and shows malicious tagging from different security vendors.

Malware Bot file checked on VirusTotal | Quttera blog

A couple of clicks from the VirusTotal indicates that the file is nearly five (5) years old already but still circulating in the wild.

Malware Bot file checked on VirusTotal | Quttera blog

We were able to execute the malware in a controlled environment to check if the servers are still active and below you can see that they are.

Bot Servers Responding To Malware Calls | Quttera blog

The image above shows that the server is still responding to the request being made by the malware.

The file uses the user’s default browser to connect to the server via PORT 80. As of now, the server is only acknowledging the requests being made by the clients usually to tell the server that 'I am infected and ready to be at your disposal.'

Malware Connecting To The Bot Servers From The Chrome Browser | Quttera blog

Here at Quttera, we were able to block the websites involved in the Bot propagation to help our customers and to protect their machines from possible infection.

Is your website flagged for malware, blocked by the search engines or disabled by the host?

Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select from suitable ThreatSign! Anti-Malware Plan and get back online.

For other issues and help: Quttera's help-desk