Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Panda Security Uncovers Bot-Killing Malware

Researchers at Panda Security have uncovered a botnet that not only swipes financial information, but also goes after rival malware.

PandaLabs, the company’s research arm, recently detected a new bot called Ainslot.L targeting Windows machines. The malware’s primary job is to log user activities, download additional malware to take control of the system and steal log-in information related to online banking sites. But as a side bonus, the malware goes on a seek-and-destroy mission targeting other bots, including Zeus and DarkComet.

Researchers at Panda Security have uncovered a botnet that not only swipes financial information, but also goes after rival malware.

PandaLabs, the company’s research arm, recently detected a new bot called Ainslot.L targeting Windows machines. The malware’s primary job is to log user activities, download additional malware to take control of the system and steal log-in information related to online banking sites. But as a side bonus, the malware goes on a seek-and-destroy mission targeting other bots, including Zeus and DarkComet.

This is not exactly unheard of. For example, last year the ZeroAccess rootkit was caught uninstalling the TDL3 rooktit.

“I would not say it is very common, but I have seen it implemented in a number of Trojans, and some worms,” said Luis Corrons, technical director of PandaLabs. “The first time I saw this behavior was back in the time of Netsky and Bagle worms. In some rival banking Trojans is more usual: at the end of the day they are looking for the same information, online banking user credentials, so removing the competition is mandatory.”

According to Panda Labs, Ainslot.L spreads using a fake email claiming to come from a UK clothing company called CULT. The message tells users they have placed an order in the amount of 200 pounds on CULT’s online store and that amount will be charged to their credit card. In addition, the message includes a link to view the order, which actually downloads the malware.

Right now, the firm does not have a good estimate on the size of the botnet because researchers have yet to break into the botnet’s command and control server. The malware is not believed to be a custom build. Instead, Corrons thinks it is part of a kit, explaining he observed some old code about P2P programs in the binary. Once on the computer, the bot connects to a Chinese IP address.

“We have only seen the CULT messages so far. It can download another malware, but it is not downloading any at the moment,” Corrons said. “It is up to the cybercriminal controlling it to give the order to install some other malware. A usual thing we see in these cases is the download of fake antivirus software.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.