Lavasoft Security Bulletin - February 2014: Bot Review

Bot Review

Table: Bots under analysis (February 2014, Lavasoft MAS).


Bot's name Jan 2014 Feb 2014 Changes
Zbot 259 197 -9.8%
Cycbot 17 41 3.8%
Kelihos 193 146 -7.4%
NrgBot/Dorkbot 145 233 13.9%
Blazebot 1 15 2.2%
Shiz 5 3 -0.3%
Total 620 635



Bot distribution in February:

Kelihos

Kelihos continues to download new versions of itself, now using the following url mask:

http://[IP Address]/mod[id]/[file name].exe

For example:

hxxp://77.122.80.243/mod2/keybex1.exe
hxxp://178.150.171.207/mod1/keybex1.exe

You can find the latest description on Kelihos here.

Cycbot. Shows no sign of disappearing soon. You can find the latest description on Cycbot here.

Shiz. The backdoor is still alive despite decreased number of occurrences. The latest example is here.
The list of domains Shiz connects to:

URL IP
hxxp://digivehusyd.eu/login.php 69.195.129.70
hxxp://gadufiwabim.eu/login.php 50.116.56.144
hxxp://kefuwidijyp.eu/login.php (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 3) , Malicious) 173.230.133.99
hxxp://vofozymufok.eu/login.php 209.160.22.9
jefapexytar.eu 50.116.56.144
fokyxazolar.eu 50.116.56.144
xuqohyxeqak.eu 50.116.56.144
cihunemyror.eu 50.116.56.144
lyruxyxaxaw.eu 50.116.56.144
www.bing.com 204.79.197.200
foxivusozuc.eu 50.116.56.144
ryqecolijet.eu 50.116.56.144
puregivytoh.eu Unresolvable
gahihezenal.eu Unresolvable
qegytuvufoq.eu Unresolvable
vojacikigep.eu Unresolvable
makagucyraj.eu Unresolvable
tucyguqaciq.eu Unresolvable
nozoxucavaq.eu Unresolvable
puvopalywet.eu Unresolvable
ciliqikytec.eu Unresolvable
tunujolavez.eu Unresolvable
xutekidywyp.eu Unresolvable
dikoniwudim.eu Unresolvable
divywysigud.eu Unresolvable
lyvejujolec.eu Unresolvable
puzutuqeqij.eu Unresolvable
fobonobaxog.eu Unresolvable
rydinivoloh.eu Unresolvable
lysovidacyx.eu Unresolvable
qeqinuqypoq.eu Unresolvable
magofetequb.eu Unresolvable
tupazivenom.eu Unresolvable
rytuvepokuv.eu Unresolvable
qetoqolusex.eu Unresolvable
masisokemep.eu Unresolvable
gatedyhavyd.eu Unresolvable
fodakyhijyv.eu Unresolvable
cicaratupig.eu Unresolvable
vocumucokaj.eu Unresolvable
nofyjikoxex.eu Unresolvable
tuwikypabud.eu Unresolvable
kepymexihak.eu Unresolvable
xuxusujenes.eu Unresolvable
lymylorozig.eu Unresolvable
jepororyrih.eu Unresolvable
xubifaremin.eu Unresolvable
dimutobihom.eu Unresolvable
voniqofolyt.eu Unresolvable
fogeliwokih.eu Unresolvable
dixemazufel.eu Unresolvable
qederepuduf.eu Unresolvable
kemocujufys.eu Unresolvable
nojuletacuf.eu Unresolvable
rynazuqihoj.eu Unresolvable
marytymenok.eu Unresolvable
jejedudupuc.eu Unresolvable
volebatijub.eu Unresolvable
ciqydofudyx.eu Unresolvable
cinepycusaw.eu Unresolvable
keraborigin.eu Unresolvable
pumadypyruv.eu Unresolvable
nopegymozow.eu Unresolvable
galokusemus.eu Unresolvable
jewuqyjywyv.eu Unresolvable


Zbot. We counted 197 backdoors this month, 94 of them install a Tor client to communicate with the C&C. server. You can find the latest description on Zbot here
NrgBot/Dorkbot. The latest description is here.

Rbot. The latest description is available in Malware Encyclopedia.

Read the part 1: Lavasoft Security Bulletin - February 2014: Under the Dropbox Umbrella.

  • Back to articles


  • Share this post:    Twitter Facebook