Researchers at Panda Security have uncovered a botnet that not only swipes financial information, but also goes after rival malware.
PandaLabs, the company’s research arm, recently detected a new bot called Ainslot.L targeting Windows machines. The malware’s primary job is to log user activities, download additional malware to take control of the system and steal log-in information related to online banking sites. But as a side bonus, the malware goes on a seek-and-destroy mission targeting other bots, including Zeus and DarkComet.
This is not exactly unheard of. For example, last year the ZeroAccess rootkit was caught uninstalling the TDL3 rooktit.
“I would not say it is very common, but I have seen it implemented in a number of Trojans, and some worms,” said Luis Corrons, technical director of PandaLabs. “The first time I saw this behavior was back in the time of Netsky and Bagle worms. In some rival banking Trojans is more usual: at the end of the day they are looking for the same information, online banking user credentials, so removing the competition is mandatory.”
According to Panda Labs, Ainslot.L spreads using a fake email claiming to come from a UK clothing company called CULT. The message tells users they have placed an order in the amount of 200 pounds on CULT’s online store and that amount will be charged to their credit card. In addition, the message includes a link to view the order, which actually downloads the malware.
Right now, the firm does not have a good estimate on the size of the botnet because researchers have yet to break into the botnet’s command and control server. The malware is not believed to be a custom build. Instead, Corrons thinks it is part of a kit, explaining he observed some old code about P2P programs in the binary. Once on the computer, the bot connects to a Chinese IP address.
“We have only seen the CULT messages so far. It can download another malware, but it is not downloading any at the moment,” Corrons said. “It is up to the cybercriminal controlling it to give the order to install some other malware. A usual thing we see in these cases is the download of fake antivirus software.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
