Rmnet.12 създали един милион Windows компютри бот мрежа

Нов ботнет от милиони компютри засече антивирусната компания Доктор Уеб. Вирусът Win32.Rmnet.12 заразява РС с Windows, като изпълнява функциите на бекдор – краде пароли от популярни FTP клиенти, които могат да се използват за организация на мрежови атаки или заразяване на сайтове.

The greatest number of infected PCs is  located in Indonesia  – 320,014 infected machines, or 27.12%. Bangladesh rates second with  166,172 infected hosts which constitue 14.08% of the botnet size. The third  rank is taken by Vietnam  (154,415 bots, or 13.08%), followed by India  (83,254 bots, or 7.05%), Pakistan  (46,802 bots, or 3.9%), Russia  (43 153 infected machines, or 3.6%), Egypt  (33,261 hosts, or 2.8%), Nigeria  (27,877 bots, or 2.3%), Nepal  (27,705 bots, or 2.3%) and Iran  ( 23,742 bots, or 2.0%). A sufficiently large number of compromised hosts is  found in the Republic of Kazakhstan (19 773 cases of infection, or 1.67%) and  the Republic of Belarus (14,196 bots, or 1.2%). 12 481 compromised hosts or  1.05 of the total number of bots are located in the Ukraine. A relatively small  number of infected computers reside in the U.S. – 4327 machines, which  corresponds to 0.36%. The smallest numbers are found in Canada (250 computers, or 0.02% of the network’s  bulk) and Australia  (only 46 computers). One infected computer has been found in Albania, Denmark,  and Tajikistan  each.

April 18, 2012

Doctor Web—a Russian anti-virus  company—reports an outbreak of the Win32.Rmnet.12 virus that enabled attackers  to create a botnet incorporating over million infected computers. Win32.Rmnet.12  infects Windows PCs, performs backdoor tasks and steals passwords stored by  popular ftp clients. The passwords may later be used used to mount network  attacks and infect websites. Win32.Rmnet.12 processes commands from a remote  server which may include bringing down the OS.

First entries related toWin32.Rmnet.12  were added to the Dr.Web virus database in September 2011. From this point on  Doctor Web’s analysts followed closely the development of this threat. The  virus penetrates computers in different ways: via infected flash drives,  with  infected executable files, as well  as using special scripts embedded into html-documents— they save the virus to  the computer when one opens a malicious web page in the browser window. A  signature for the VBScript code was added into the Dr.Web virus database as  VBS.Rmnet.

Win32.Rmnet.12is a complex multicomponent  virus, consisting of several modules and capable of self-replication. When  launched,Win32.Rmnet.12checks which browser is set as a system default browser  (if not detected, the virus targets Microsoft Internet Explorer), and injects  its code into the browser process. Then it uses the hard drive serial number to  generate its own file name, saves itself into the autorun folder of the current  user and assigns the attribute “hidden” to its file. The virus’s  configuration file is saved into the same folder. Then, the virus uses an embedded  routine to determine the name of a control server and tries to connect to it.

One of the virus components is a backdoor.  Once launched, it tries to determine the Internet connection speed: it sends  requests at google.com, bing.com and yahoo.com at 70 second intervals and  analyses responses. ThenWin32.Rmnet.12launches an FTP server on the infected  machine, connects to a remote server and transmits information about the  infected system to intruders. The backdoor can execute commands received from  the remote server, in particular, to download and run arbitrary files, update  itself, to take screenshots and send them to criminals, and even render the  operating system non-operational.

Another virus component steals passwords stored  by most popular FTP-clients, such as Ghisler, WS FTP, CuteFTP, FlashFXP,  FileZilla, Bullet Proof FTP and others. This information can later be exploited  to carry out network attacks or to place various malicious objects on remote  servers. Also,Win32.Rmnet.12takes care to search through user’s cookies, so  attackers can gain access to the user’s accounts at different sites that  require authentication. In addition, the module can block access to specified sites,  and redirect the user to a site controlled by virus writers. One of the Win32.Rmnet.12  modifications is also  able to make web injections to steal bank account information.

The virus spreads in various ways: by  exploiting browser vulnerabilities that enable intruders to save and launch  executables upon loading a web-page. The virus searches for all html files  stored on disks and embeds VBScript code into them. In addition,Win32.Rmnet.12  infects all executable files with the .exe extension found on the disks and is  able to copy itself to removable flash drives. It saves an autorun file and a  shortcut to a malignant application into the root folder on a flash drive. This  application launches the virus.

The botnet comprised of hosts infected with Win32.Rmnet.12was discovered by Doctor Web as long ago as in September 2011  when the first virus sample fell into the hands of virus analysts. They soon  decrypted names of control servers found inWin32.Rmnet.12resources. After a  while analysts decrypted the protocol used for communication between bots and  control servers which enabled them to determine the number of bots and to  control them. On February 14, 2012 Doctor Web’s virus analysts created a  sinkhole, (it was subsequently used to study the BackDoor.Flashback.39 botnet),  namely, registered domain names for several servers controlling one of Win32.Rmnet.12networks and gained full control over the botnet. In late  February, anotherWin32.Rmnet.12subnet was hijacked this way.

At first, the number of bots was relatively  small and reached several hundred thousand, however, the number grew by and by.  As of April 15, 2012, theWin32.Rmnet.12botnet is comprised of 1,400,520  infected hosts and is growing steadily.

Share this...
Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
About Другата гледна точка

Не е страшно да си луд, страшното е ако го осъзнаваш. Думите могат да бъдат опасни. През повечето време предпочитаме да говорим кратко и с недомлъвки. Пропускаме много – има заличени места в езиковото ни общуване. Може би приемаме, че празнините ще бъдат запълнени от слушателя или че пропуснатото не е съществено. Вероятно не се замисляме, но и в двата случая има голяма разлика между това, което мислим, че сме казали и това, което слушателят мисли, че сме имали предвид, и това, което в крайна сметка е разбрал.