Doctor Web discovers a botnet that attacks Russian banks

[omidomi]

Doctor Web’s specialists have pinpointed that the Trojan BackDoor.IRC.Medusa.1 was used by cybercriminals to carry out the recent series of DDoS attacks on the Rosbank and Eximbank of Russia websites.

BackDoor.IRC.Medusa.1 is a malicious program belonging to the IRC bot category. Trojans of this category can unite into botnets and receive instructions over the IRC (Internet Relay Chat) protocol. After connecting to a specific chat channel, IRC bots wait for directives. The main function of BackDoor.IRC.Medusa.1 is to perform DDoS attacks. Doctor Web’s security researchers believe this was the Trojan used to carry out the attack on Sberbank of Russia that was recently covered by the mass media.

BackDoor.IRC.Medusa.1 carries out several types of DDoS attacks and can also download and run executable files on an infected computer. The below figure shows a botnet operator manual published by the virus makers. The manual describes a botnet created using BackDoor.IRC.Medusa.1 and contains a list of commands the Trojan can execute:

​

The Trojan is being actively promoted on underground forums. Its creators claim that a botnet consisting of 100 infected computers is capable of generating up to 20,000-25,000 requests per second with a peak value of 30,000. As proof, they show a diagram of a test attack on the NGNIX http server:

​

Currently, 314 active connections are registered on one of the IRC channels controlling the BackDoor.IRC.Medusa.1 botnet. A Doctor Web analysis of the command log revealed that from November 11 to November 14, 2016, the cybercriminals attacked the following websites multiple times: rosbank.ru (Rosbank) and eximbank.ru (Eximbank of Russia) as well as fr.livraison.lu and en.livraison.lu (the Livraison restaurant chain) and korytov-photographer.ru (a private website).

​

The signature for BackDoor.IRC.Medusa.1 is already in the Dr.Web for Linux database. Doctor Web’s specialists are keeping a close watch on the situation.

 

[RoboMan]

Thanks for the article. It's good they could find this out. Just thinking about that hundred of botnets and malware infiltrated on banks and important sites that still haven't been detected because of the malware's sophistication.

 

[tim one]

The problem are the advanced persistent attacks that, starting from a single point (for example, a person inside the bank) then spread on the entire network by installing malware capable of stealing important information (credentials of a system administrator, confidential information, etc.). The purpose of the aggressor, is certainly install malware on the network and steal some data but, mainly to maintain their own persistent presence inside the network.

 

[RoboMan]

The problem are the advanced persistent attacks that, starting from a single point (for example, a person inside the bank) then spread on the entire network by installing malware capable of stealing important information (credentials of a system administrator, confidential information, etc.). The purpose of the aggressor, is certainly install malware on the network and steal some data but, mainly to maintain their own persistent presence inside the network.

That's exactly something i've always complained about and blamed bussinesses/enterprises head bosses. Anually, small/medium and big businesses spend (i'd say waste) thousands maybe millions of dollars, depending on the business, to implement and update security measures. They hire high-qualified professionals to secure every weak spot of their networks, they make sure their intern communication is encrypted, they buy and install last-updated well-known secure VPN's and Firewalls and the maximize the firewalls rules security. Still, the human factor is left behind, being the most dangerous. I've seen hundreds of cases where businesses with lots of security implements got infected/data stolen/ransomware'd because of the ignorance of the employees, who would run unknown files on an email, would download trash from the web, and would ignore firewall/antivirus alerts. Human factor has always been the vulnerable part of the big chain, and until we don't start teaching and giving employees the required tools to know the Do's and Dont's of basic enterprise security, ransomware/cracker attacks and beyond will always be a threat. Pretty sure if all employees know how to protect their systems, identify a threat, avoid malware, all they would need is a good firewall and a cup of tea.