Botnet on Demand Service

Once this "rent a botnet" or "botnet on demand" service depending on the perspective made it in the mainstream press, they switched locations, but I'm sure they'll continue to advertise themselves given the potential for such a service. The first screenshot provides the "botnet inventory", as you can see the botnet has a total 35015 infected hosts, but with only 2342 of them online when I last checked. On a per rate of 252 infected hosts for the last two hours, and with 5279 for the last 24, their only problem is to have the malware actually respond, and "phone back home".

From another perspective, "rent a botnet" is a bit different as a service concept next to "botnet on demand" where this service is a combination of the two of these. Rent a botnet means there's an already available inventory, that is they're aware of the exact number of infected hosts they have, and are capable of meeting the demand until their supply gets depleted, which is where "botnet on demand" comes into play. Botnet on demand, like the entire "on demand" concept, doesn't build inventory of infected hosts and sit on them waiting for someone to require them. Instead, infected hosts get "infected" as requested, another indication of their understanding of what malicious economies of scale is all about - anticipating the success of exploiting outdated client side vulnerabilities on a large scale.

What about the prices? Differentiated pricing on a per country is an interesting pricing approach, for instance, 1000 infected hosts in Germany are available for $220, and 1000 infected hosts in the U.S go for half the price $110. It doesn't really feel very comfortable knowing someone's bargaining with your bandwidth and clean IP reputation, does it? What's worth discussing is the fact that the service isn't marketed as a DIY DDoS service, but as a simple acccess to a botnet one, where the possibilities for abuse are well known to everyone reading here. Spamming and phishing mailings, hosting and distribution of malware using the rented infrastructure, OSINT through botnets, corporate espionage through botnets, pretty much all the ugly practices you can think of.

If the service was a "rent a botnet" it could have increased its chances of having something to do with Storm Worm's "divide and conquer" approach of segmenting the botnet into smaller ones, since Storm Worm is the biggest inventory of infected hosts currently available online. But since they offer the "on demand" feature, thereby indicating they're surveying the demand for the service itself before putting more efforts into building the inventory, I doubt it's Storm Worm related.

Possibility Media's Malware Fiasco

After both TrendMicro and Sophos acknowledged the attack on Possibility Media's portfolio of online publications, added detection, further clustered the attack, as well as came up with a fancy graph to visualize the IFRAME-ing attack, the attackers changed the IFRAME code and directed it to another location, and perhaps it's more interesting to see them express their feelings about getting exposed in such a coordinated manner. The second IFRAME URL from the previous post now greets with "ai siktir vee?" message. What does "ai siktir vee" means? It means "get lost". The new IFRAME URLs as of yesterday are exploiting MDAC ActiveX code execution (CVE-2006-0003), and here are more details :

(58.65.239.28) ilovemyloves.com/films/in.cgi?11
ilovemyloves.com/traff.php
ilovemyloves.com/fuck.php
ilovemyloves.com/lol.php
ilovemyloves.com/nuc/index.php
ilovemyloves.com/games/index.php
ilovemyloves.com/ra/load.php

Is there by any chance the possibility that the Russian Business Network's IPs might be somehow involved? Don't be naive - of course there are RBN IPs involved and talking about them, deobfuscating scripts or analyzing the binaries related to RBN is becoming a rather boring task given nothing's changing. Remember all those parked domains on the second IFRAME IP from the previous post? According to this writeup by Symantec's Kaoru Hayashi, some of the hosts - fiderfox.info:8081; gipperlox.info:8081; gipperlox.info:8081 - are acting as communication platforms with a trojan downloaded from an RBN IP - 81.95.144.146 in order for the trojan to receive spam sending configurations. Now, where do we know 81.95.144.146 from? From the Bank of India hack as it was among the several IPs used in the IFRAME attack.

Getting back to the latest developments behind the dynamic tactical warfare applied by the attackers at 208.72.168.176, they seem to have introduced a new obfuscation at : 208.72.168.176/e-Mikhalich2210/index.php which you can see in the screenshot attached. Once we get to feel the binary we can conclude it's a spam bot known under different names such as Dropped:Trojan.Proxy.Pixoliz.I; Trojan-Proxy.Pixoliz and W32/Pixoliz.

Detection rate : Result: 11/32 (34.38%)
File size: 123924 bytes
MD5: 15027f9e4dc93e95e70f7086f2bf22de
SHA1: 494a675df55167cf4ed5a2c0320cdaa90dbbc10e

New domains under different IPs are also connected with the previous and the current IFRAMEs as they all tell me to "ai siktir", for instance :

privatechecking.cn/stool/index.php
musicbox1.cn/iframe.php
xanjan.info/ad/index.php

There's even a Storm Worm connection. For instance, musicbox1.cn/iframe.php refreshes textdesk.com which is heavily polluted with known storm worm domains such as : eliteproject.cn/ts/in.cgi/alex; 88.255.90.74/su/in.cgi?3; 81.95.144.150/in.cgi?11; takenames.cn/in.php; bl0cker.info/in.php; space-sms.info etc.

Dots, dots, dots and data speaks for itself.