Wednesday, January 28, 2009

Danmec Bot, Fast-Flux networks and recruitment of Zombies PCs

Danmec, or Asprox, is called a trojan designed to recruit zombie machines while collecting information for each of the victims infected.

While the appearance of this trojan isn't new, it's now worth more complex strategies that typically used by other malicious code, including its early variants, such as the Fast-Flux to avoid detection by blocking programs and infect as many computers as possible.

Today, Fast-Flux networks are massively exploited and thousands of active domains of Russian origin, such as activating again botnets created by Danmec.

google-analitycs.lijg .ru
fmkopswuzhj .biz

fnygfr .com
fvwugekf .info

fwkbt .info

gbrpn .org

gbxpxugx .org

ghtileh .biz

gnyluuxneo .com

fuougcdv .org

www. dbrgf .ru

www. bnmd .kz

www. nvepe .ru

www. mtno .ru

www. wmpd .ru

www. msngk6 .ru

www. vjhdo .com

www. aspx37 .me

google-analitycs.dbrgf .ru

www. advabnr .com

www. lijg .ru

www. dft6s .kz

Each of these domains hosting the following script written in JavaScript called script.js (MD5: ccec2c026a38ce139c16ae97065ccd91), which runs from a Drive-by-Download:

This call through the iframe tag is made to a URL that is part of a Fast-Flux network.

, IN A

;; ANSWER SECTION: 600 IN A 600 IN A 600 IN A 600 IN A 600 IN A 600 IN A 98,194,180,179 600 IN A 600 IN A 151,118,186,131 600 IN A 600 IN A 600 IN A 600 IN A 24,107,209,119 600 IN A 24,170,188,201 600 IN A

;; AUTHORITY SECTION: 339897 IN NS 339897 IN NS 339897 IN NS 339897 IN NS 339897 IN NS

;; Query time: 263 msec
;; SERVER: # 53 (
;; WHEN: Sun Jan 25 20:31:57 2009
;; MSG SIZE rcvd: 356

While each of the web addresses above lines form a new farm Fast-Flux networks with groups of IP addresses mirrors.

Fast-Flux is an advanced technique used for malicious purposes, together with others, for the spread of various threats. This means be cautious at all times.

# Jorge Mieres

No comments: