Researchers at Panda Security have uncovered a botnet that not only swipes financial information, but also goes after rival malware.
PandaLabs, the company’s research arm, recently detected a new bot called Ainslot.L targeting Windows machines. The malware’s primary job is to log user activities, download additional malware to take control of the system and steal log-in information related to online banking sites. But as a side bonus, the malware goes on a seek-and-destroy mission targeting other bots, including Zeus and DarkComet.
This is not exactly unheard of. For example, last year the ZeroAccess rootkit was caught uninstalling the TDL3 rooktit.
“I would not say it is very common, but I have seen it implemented in a number of Trojans, and some worms,” said Luis Corrons, technical director of PandaLabs. “The first time I saw this behavior was back in the time of Netsky and Bagle worms. In some rival banking Trojans is more usual: at the end of the day they are looking for the same information, online banking user credentials, so removing the competition is mandatory.”
According to Panda Labs, Ainslot.L spreads using a fake email claiming to come from a UK clothing company called CULT. The message tells users they have placed an order in the amount of 200 pounds on CULT’s online store and that amount will be charged to their credit card. In addition, the message includes a link to view the order, which actually downloads the malware.
Right now, the firm does not have a good estimate on the size of the botnet because researchers have yet to break into the botnet’s command and control server. The malware is not believed to be a custom build. Instead, Corrons thinks it is part of a kit, explaining he observed some old code about P2P programs in the binary. Once on the computer, the bot connects to a Chinese IP address.
“We have only seen the CULT messages so far. It can download another malware, but it is not downloading any at the moment,” Corrons said. “It is up to the cybercriminal controlling it to give the order to install some other malware. A usual thing we see in these cases is the download of fake antivirus software.”