Monthly Archive for April, 2009

When a Botmaster goes REALLY mad

Published on April 8, 2009 in Malware & Virus Analysing. 0 Comments Tags: , , , .

Yesterday I came across a post on Sunbelt’s Blog concering bots which have a build in function to destroy the computers operating system (OS). The Sunbelt Blog reference to a blog post on the S21sec Blog:

This time we are taking a close look about what things could happen with an infected computer when the running bot receives an specific command about to kill the Operating System. Not all type of bots usually have this functionality, but banking Trojans usually have. We will take three examples (InfoStealer, Zeus/Zbot and Nethell/Ambler), these are the most common Trojans where we’ve definitely found in their binaries the malicious code that is responsible for the Execution of Windows.

Last week I received a copy from a ZeuS C&C server for analysis (53’878’694 records in database / 155GB) . The C&C server was hosting about 5 different ZeuS installations controlling more than 100′000 computers, mainly located in Poland and Spain.

I was just shocked as I saw that the ZeuS C&C was sending out the ZeuS command kos:

ZeuS C&C: Kill Operating System

But what is “kos”? The kos command is used by ZeuS to destroy the operating system (kill Operating System). From ZeuS help file (translated with Google):

kos – incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and / or HKEY_LOCAL_MACHINE. If you have sufficient privileges – fly to “blue screen”, in other cases creates the brakes. Following these steps, loading OS will not be possible!

So what happened? The Operating System of every infected client which was connected to one of the malicious ZeuS C&Cs has been destroyed. That are about 100’000 affected computers!

Yeah, that happens when a Botmaster goes really mad…

Further reading:
Sunbelt Blog: Bots that destroy the operating system
S21sec Blog: When a Bot master goes mad – Kill the OS
abuse.ch ZeuS Tracker BETA
economics-recluse
Scene
Urgent!