L

LabZero

Hello.

The C&C bootkit malware represent the evolution of malware but how does this dangerous threat?

The propagation consists in code injection on external Web pages; in this case this is not script or iframe (methods more efficient but also more traceable), but a replacement of the href parameter of links. For infection is required then click on one of the links: in this way begins a procedure that records certain information about the user (referrer, IP address, names and versions of the plugin installed on your browser) and uses them to create a unique ID to download a custom exploits.
The exploit is executed, obviously without the user noticing, and downloads a trojan dropper on the victim's machine, and then redirects the user to the page he wanted visit: a completely transparent process that takes place over time by a click on a link and wait for opening of the requested page.

At this point, the trojan dropper comes running and frees bootkit installer on the machine, marking it with the custom user ID. The installer will start and install the disk malware payload, then launched a reboot: bootkit comes running with a hook, hides its presence and starts working as a bot.

The botnet server C&C is variable: its domain name can change several times in a single day, making it difficult to trace. The bot contains an algorithm for generating domain names, so that you can try to connect again and again to new C&C server if the current address is rejected.

Once you have established a connection with a server, the correct C&C bot can download additional modules and start sending information about the infected user. In particular, the downloaded add-on module (a DLL) is loaded in memory and is never held on disk, making it undetectable by antivirus scans on filesystem; of course reboot of the machine will be deleted from the main memory, but promptly reloaded into memory. This module is responsible for collecting data, such as passwords in the system and network traffic directed to banking sites, and send it promptly to the attacker's server, but it also contains pretty much all the functionality: keylogging, redirect to phishing sites, and so on.

We then saw a real and practical example of a sophisticated malware, infect the victims silently and able to hide its presence on the victim system, while continuing to communicate with a centralized system but in constant motion, which sends confidential data of any kind belonging to the victim user, who remains unaware of everything.
 
Top