In this blog, I will detail the evolution of the most representative botnet families that we have hunted since October 2010.

First we have dead and the dying. The dead include Bobax, Donbot, Grum, Fivetoone and Rustock; and those in poor health include Bagle:

• Bobax (alias Kraken) was with Bagle one of the first spam botnets. Different spammers used several variants from May 2004 to mid-2012.
• Donbot variants were frequently encountered from December 2008 to December 2011. They had their time of “glory” during the first quarter 2009, with a short revival in the second quarter of 2011. They are frequently merged with Trojan.Buzus (AVP in December 2007), TROJ_BUZUS (Trend in February 2008), and Win32/Bachsoy.A (Vet in August 2008).
• Grum (alias Win32/Tedroo) and its kernel-mode rootkit appeared in October 2007. Its control servers were taken down in July 2012.
• Fivetoone (alias DMSSpammer) began in October 2007, but disappeared in March 2012.
• Rustock (alias RKRustok, Costrat, Meredrop) appeared in 2006. It reached its peak between August and December 2010, but was stopped in February-March 2011 after law enforcement action.
• Unlike the previous five, Bagle is not fully defunct. This malware family appeared in January 2004. The variant we still watch is nicknamed Bagle-CB.

Second we have the survivors, present from 2010 to date. They are Festi, Cutwail, Lethic, and Maazben:

• Festi was first encountered in January 2009. It is now the most prevalent.
• Cutwail (alias Pandex, Wigon, Pushdo) appeared in September 2007. After a long time as number 1, it is now number 2.
• Lethic was discovered around September 2009. Shut down in January 2010, it reappeared not long afterward and is now in decline.
• Maazben appeared in May 2008. It is still in our top 5 but has dropped over three quarters from rank 3 to rank 5.

Finally we have the newcomers: Darkmailer, Waledac, Slenfbot, and Kelihos:

• Darkmailer is a spam tool first released in 2003. Each month for three years a small number of senders has been systematically detected by our sensors. In January 2013, we saw a dramatic increase in senders–suggesting a possible evolution in its spamming technique.
• Waledac (alias Waled, SLM) has been in the wild since October 2008. It was shut down for the first time in February 2010 (operation b49) but reappeared soon thereafter. It reached its highest level in 2012, but was recently affected when Polish authorities seized domains used to control the Virut botnet.
• Slenfbot is an IRC bot family known since 2008. Described in a Threat Advisory, a new variant has spread suddenly. It is distributed through links attached in different chat windows like ICQ, Skype, GTalk, Pidgin, AIM, MSN, and YIM, as well as Facebook.
• Controlled through a peer-to-peer network, Kelihos (alias Hilux) was first detected in December 2010, and appeared finished in September 2011. It reappeared during the last months of 2012, reaching rank 6.

The situation among messaging botnets is changing. Besides Festi and Cutwail, the challengers struggle is survive. Yet when a botnet fails or disappears, another one takes its place.

This one was pointing:

iframe src=”http://[REMOVED].cn/in.cgi?[REMOVED]

This iframe is a redirect to:

http:// [REMOVED].hostindianet.com/index.php?[REMOVED]

Now it gets interesting. This url contains a script that will send a PDF file, called readme.pdf. As an additional note, this pdf looks like part of the Luckysploit kit.

Readme.pdf is a malicious PDF file as you can imagine.

Dissecting it, there is a shellcode, with several functions like:

-GetTempPathA

-LoadLibraryA

-GetProcAddress

-WinExec

And our friend URLDownloadToFileA , which as the name implies, downloads something form a url to a file

The url is : http:// [REMOVED2].hostindianet.com/l[REMOVED2]?id=4 and id=5

Following these urls, it was possible to find out that both id=4 and id=5 returned the same file, which is one variant of the Waledac.

And yes, both Malicious PDF and the downloaded file are detected by us

And yes2, REMOVED and REMOVED2 are different blocks.

An additional thanks to my friend Tom Liston for the title. I will always remember the Bouncing following malware series…;)