the hidden bot - kaspersky internet security · the hidden bot evgeny aseev head of virus lab, apac...
Post on 09-Jul-2020
20 Views
Preview:
TRANSCRIPT
PAGE 1 |
Gradient colors
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
The Hidden Bot
Evgeny Aseev
Head of Virus Lab, APAC
Kaspersky Lab
PAGE 2 |
Gradient colors
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
Agenda
Oh my, yet another bot.. What is special about it?
Distribution model: be silent and careful
Infection process and payload
What is hidden needs to be unhidden
1 2 3 4
Or not?
Yet Another Bot
1 2 3 4 PAGE 4 |
Gradient colors
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
“How Big Is Big?”
http://www.abuse.ch/?p=3294, 2011
1 2 3 4 PAGE 5 |
Gradient colors
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
Ponmocup / Pirminay / Milicenso Trojan
Appeared in 2009
Not well-known, very little research
• c-APT-ure’s blog posts
• Couple of AV vendors’ blog posts
Not well-detected by AV vendors
Why? It is well-hidden!
1 2 3 4
How is malware delivered?
Distribution model
PAGE 7 | 1 2 3 4
Gradient colors
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
Distribution model: scheme
Compromised
server
Dispatcher
Infector
User
Stage 1 Stage 2
Stage 3
Stage 4
PAGE 8 | 1 2 3 4
Gradient colors
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
Distribution model: conditions
Compromised
server
Dispatcher
Infector
User
Stage 2:
• Specific cookie is not set
• Specific resource in referer
• Specific User-Agent
Stage 3:
• IP has not been
tracked before
• Stage 2 should be
passed successfully
Stage 4:
• Stage 2 + Stage 3 should
be passed successfully
PAGE 9 | 1 2 3 4
Gradient colors
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
Distribution model (stage 2): .htaccess kung fu
Version 1 Version 2 Version 3
1 2 3 4
How the user is infected?
What happens next?
Infection and payload
1 2 3 4 PAGE 11 |
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
Gradient colors
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
Infection process
But only if you have IE8…
Java is enabled
Java is disabled
1 2 3 4 PAGE 12 |
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
Gradient colors
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
Trojan self-protection
Active anti-debugging/sandboxing/reverse engineering
C&C HTTP requests are generated from widespread tokens
1 2 3 4 PAGE 13 |
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
Gradient colors
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
Actual payload and monetization
1 2 3 4
Summary & future steps
What is hidden needs to
be unhidden
1 2 3 4 PAGE 15 |
Gradient colors
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B
What is hidden needs to be unhidden
What was unhidden
• Very carefully crafted malicious campaign
• Uses hacked websites, domains and dedicated servers for
distribution, stolen digital certificates for infection
• Robust protection from being analyzed/reversed
• Target – install PUPs (PPI monetization model)
• More than 3 years in the game, still roughly noticed by
information security community and detected by AV vendors
What needs to be unhidden
• Current botnet size
• Server-side code on dispatchers and infectors
PAGE 16 |
Gradient colors
14
149
115
0
121
91
13
137
105
R
G
B
Diagrams
142
230
0
127
205
0
137
222
0
R
G
B
242
174
107
255
131
0
240
161
82
R
G
B
166
166
166
140
140
140
159
159
159
R
G
B
207
19
149
177
18
128
202
20
146
R
G
B
1
152
255
0
137
230
0
122
201
R
G
B
0
63
137
0
59
130
0
44
95
R
G
B
103
66
148
87
55
125
75
48
108
R
G
B
241
93
104
237
41
57
238
68
80
R
G
B
164
208
197
45
136
113
0
109
85
0
93
69
R
G
B
Tables
0
130
102
0
109
85
R
G
B
230
234
232
201
213
207
182
197
190
171
188
179
R
G
B
220
22
64
195
19
57
183
18
52
R
G
B
Competitors
254
208
106
253
182
17
228
158
2
R
G
B PAGE 16 |
Thank you!
Evgeny Aseev
Head of Virus Lab, APAC
Kaspersky Lab
top related