Нов ботнет от милиони компютри засече антивирусната компания Доктор Уеб. Вирусът Win32.Rmnet.12 заразява РС с Windows, като изпълнява функциите на бекдор – краде пароли от популярни FTP клиенти, които могат да се използват за организация на мрежови атаки или заразяване на сайтове.
The greatest number of infected PCs is located in Indonesia – 320,014 infected machines, or 27.12%. Bangladesh rates second with 166,172 infected hosts which constitue 14.08% of the botnet size. The third rank is taken by Vietnam (154,415 bots, or 13.08%), followed by India (83,254 bots, or 7.05%), Pakistan (46,802 bots, or 3.9%), Russia (43 153 infected machines, or 3.6%), Egypt (33,261 hosts, or 2.8%), Nigeria (27,877 bots, or 2.3%), Nepal (27,705 bots, or 2.3%) and Iran ( 23,742 bots, or 2.0%). A sufficiently large number of compromised hosts is found in the Republic of Kazakhstan (19 773 cases of infection, or 1.67%) and the Republic of Belarus (14,196 bots, or 1.2%). 12 481 compromised hosts or 1.05 of the total number of bots are located in the Ukraine. A relatively small number of infected computers reside in the U.S. – 4327 machines, which corresponds to 0.36%. The smallest numbers are found in Canada (250 computers, or 0.02% of the network’s bulk) and Australia (only 46 computers). One infected computer has been found in Albania, Denmark, and Tajikistan each.
April 18, 2012
Doctor Web—a Russian anti-virus company—reports an outbreak of the Win32.Rmnet.12 virus that enabled attackers to create a botnet incorporating over million infected computers. Win32.Rmnet.12 infects Windows PCs, performs backdoor tasks and steals passwords stored by popular ftp clients. The passwords may later be used used to mount network attacks and infect websites. Win32.Rmnet.12 processes commands from a remote server which may include bringing down the OS.
First entries related toWin32.Rmnet.12 were added to the Dr.Web virus database in September 2011. From this point on Doctor Web’s analysts followed closely the development of this threat. The virus penetrates computers in different ways: via infected flash drives, with infected executable files, as well as using special scripts embedded into html-documents— they save the virus to the computer when one opens a malicious web page in the browser window. A signature for the VBScript code was added into the Dr.Web virus database as VBS.Rmnet.
Win32.Rmnet.12is a complex multicomponent virus, consisting of several modules and capable of self-replication. When launched,Win32.Rmnet.12checks which browser is set as a system default browser (if not detected, the virus targets Microsoft Internet Explorer), and injects its code into the browser process. Then it uses the hard drive serial number to generate its own file name, saves itself into the autorun folder of the current user and assigns the attribute „hidden“ to its file. The virus’s configuration file is saved into the same folder. Then, the virus uses an embedded routine to determine the name of a control server and tries to connect to it.
One of the virus components is a backdoor. Once launched, it tries to determine the Internet connection speed: it sends requests at google.com, bing.com and yahoo.com at 70 second intervals and analyses responses. ThenWin32.Rmnet.12launches an FTP server on the infected machine, connects to a remote server and transmits information about the infected system to intruders. The backdoor can execute commands received from the remote server, in particular, to download and run arbitrary files, update itself, to take screenshots and send them to criminals, and even render the operating system non-operational.
Another virus component steals passwords stored by most popular FTP-clients, such as Ghisler, WS FTP, CuteFTP, FlashFXP, FileZilla, Bullet Proof FTP and others. This information can later be exploited to carry out network attacks or to place various malicious objects on remote servers. Also,Win32.Rmnet.12takes care to search through user’s cookies, so attackers can gain access to the user’s accounts at different sites that require authentication. In addition, the module can block access to specified sites, and redirect the user to a site controlled by virus writers. One of the Win32.Rmnet.12 modifications is also able to make web injections to steal bank account information.
The virus spreads in various ways: by exploiting browser vulnerabilities that enable intruders to save and launch executables upon loading a web-page. The virus searches for all html files stored on disks and embeds VBScript code into them. In addition,Win32.Rmnet.12 infects all executable files with the .exe extension found on the disks and is able to copy itself to removable flash drives. It saves an autorun file and a shortcut to a malignant application into the root folder on a flash drive. This application launches the virus.
The botnet comprised of hosts infected with Win32.Rmnet.12was discovered by Doctor Web as long ago as in September 2011 when the first virus sample fell into the hands of virus analysts. They soon decrypted names of control servers found inWin32.Rmnet.12resources. After a while analysts decrypted the protocol used for communication between bots and control servers which enabled them to determine the number of bots and to control them. On February 14, 2012 Doctor Web’s virus analysts created a sinkhole, (it was subsequently used to study the BackDoor.Flashback.39 botnet), namely, registered domain names for several servers controlling one of Win32.Rmnet.12networks and gained full control over the botnet. In late February, anotherWin32.Rmnet.12subnet was hijacked this way.
At first, the number of bots was relatively small and reached several hundred thousand, however, the number grew by and by. As of April 15, 2012, theWin32.Rmnet.12botnet is comprised of 1,400,520 infected hosts and is growing steadily.