Tag Archives: botnet

Scareware Locks Down Computer Due To Child Porn and Terrorism

Recently, my sandbox came across a scareware that locks down the victim’s computer due to “terrorism and child pornography”. The malware is being detected by some AV vendors as “Win32/LockScreen”.

The schema is pretty simple: The criminals try to infect computers with scareware (eg. through Drive-By exploits). As soon as the computer is infected, the malware locks down the machine so that the user won’t be able to log in any more. The malware then displays a message to the user that the law enforcement agency XY found child pornography on the victims computer and that the his computer was used to send out “spam mails with terrorist motives”:


This operating system is locked due to the violation of the laws of the United Kingdom! Following violations were detected:
Your IP address was used to visit websites containing pornography, child pornography, zoopillia and child abuse. Your computer also contains video files with Pornographic content, elements of violence and child pornograhpy! Spam-messages with terrorist motives were also sent from your computer

This computer lock is aimed to stop your illegal activity.

The message which is being displayed to the victim looks like this (click to enlarge):

What is interesting with this scareware is the dependency of the geo location of the victim’s computer. Before the scareware displays the message shown above, it contacts a central botnet command and control server (C&C) located in Ukraine ( – AS197145 Infium LTD) using HTTP:

X- GET /loc/gate.php?getpic=getpic HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Connection: Keep-Alive HTTP/1.1 200 OK
Date: Wed, XX Feb 2012 XX:XX:XX
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 32
Connection: close
Content-Type: text/html; charset=UTF-8

In the first request the malware contacts the C&C using a parameter called “getpic”. The C&C will response with an URL containing the location of the image the malware should display to on the victim. The malware will follow the URL and download the BMP-file:

GET /pic/DE.bmp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache

Then the malware will determine the IP address of the victim’s computer by using the parameter “getip”:

X- GET /loc/gate.php?getip=getip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Connection: Keep-Alive

Afterwards the malware displays a “lock screen” to the user using the response (=ip address) from the C&C and the image file downloaded before.

The interesting part is that you can identify the countries which are being hit by this attack by guessing the files on the botnet controller (country codes). So far, I’ve identified the following countries/URLs:

Country: Austria (AT)
Domain name: landes-kriminalt.net
Country: Germany (DE)
Domain name: landes-kriminalt.net
Country: United Kingdom (GB)
Domain name: policemetropolitan.org
Country: France (FR)
Agency: Gendarmerie nationale
Domain name: n-p-f.org
Country: Itanly (IT)
Agency: Guardia di Finanza
Domain name: it-polizia.org
Country: Spain (ES)
Agency: La policia ESPANOLA
Domain name: lapoliciaespanola.org

Most domain names mentioned above are misspelled, for example, the domain name landes-kriminalt.net is a misspelling of “Kriminalamt” which is equivalent to the Federal Police. All mentioned domain names are registered through registrar BIZCN (a registrar located in China):

Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS3.CNMSN.COM
Name Server: NS4.CNMSN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 02-may-2011
Creation Date: 02-may-2011
Expiration Date: 02-may-2012

Last update of whois database: Thu, 01 Mar 2012 10:26:21 UTC

Domain name: landes-kriminalt.net

Registrant Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945

Administrative Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945

Technical Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945

Billing Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945


Created: 2011-05-02
Expires: 2012-05-02

What nearly all domain names have in common is the fact that they have already been up since more than 8 months (Created: 2011-05-02). The same registrant has also registered other domain names:


I’m asking myself how the criminals have managed not to get their domain names suspended for such a long time period. Please note that these domain names can be considered as malicious and should therefore be blocked at your network’s edge (web gateway / proxy / DNS) along with the botnet controller (

The described Scareware schema isn’t really new, Switzerland along with several other European countries were hit by a similar attack back in 2011:

How Big is Big? Some Botnet Statistics

There is a lot of malware out there, and sometimes it’s very difficult for security researchers or AV-vendors to estimate the extent of such a threat (eg. a trojan). One technique to do is called sinkholing: The goal is to register malicious botnet domains proactively or reactively to prevent the criminals exerting command and control over hijacked/infected computers, and at the same time warn ISPs of infected computers.

Some of you might already know that I am running a sinkhole. Therefore I thought it might be interesting to reveal some botnet Statistic based on the drone data I have collected on my sinkhole.

The following data has been collected over a period of 2 months. During this time I’ve sinkholed several botnets. To generate the statistics shown below I have picked out the highest peak of each malware family and printed it to the bar chart. In short this means that the chart shows the highest peak of each malware family during the past two months (within a 24 hour period).

First of all, let’s have a look at each malware family I’ve sinkholed during this time.

Trojan Aliases Reference
Artro Renos, CodecPack Kaspersky Lab
Carberp Symantec
Gbot Sonicwall
Gozi SecureWorks
Ponmocup Swisyn, Changeup Microsoft
Ramnit abuse.ch
SpyEye EyeStye Symantec
TDSS Alureon, Tidsserv, TDL4 ESET
ZeuS Zbot, WSNPoem, ntos Symantec

As shown in the table above we have some banking trojans (Carberp, Gozi, SpyEye and ZeuS), some trojan droppers (Gbot, Ponmocup), a worm (Ramnit) and some Click fraud trojans (Artro, TDSS).

Note: The numbers of infected IPs for each trojan mentioned below does not necessarily reflect the exact botnet size. It does however work fairly well as a relative indication. Some trojans are malware kits being used to run several different botnets (Like ZeuS or SpyEye), where all are not being sinkholed.

Let’s take a look at the sinkhole statistics:

The chart above shows the total number of new and total IPs seen within 24hrs for each malware family. What really sticks out is the fact that the trojans that are being used to attack financial institutions (banking trojans) has a relatively small amount of infected computer (drones) compared to Gbot (that is used to drop/install additional malware on the victims computer) and the well-known click fraud rootkit called TDSS. The size of the TDSS botnet is 6 times the size of the Carberp botnet.

Why is this the case? It’s not very difficult to infect computers today. The trick is to find a good way to monetize the botnet. For banking trojans, the problem becomes getting money mules that the criminal can use for transferring/laundering the stolen money. A cybercriminal won’t benefit from a big botnet if he’s not able to cash out the money from the bank accounts of the victims. Also, banking trojans rather quickly gets attention from both Law Enforcement and individuals in the infosec community.

Doing click fraud is much easier: Who cares about click fraud? Nobody, except the companies that are actually offering/selling online advertisement. If you call someone and tell him “Hey, your computer is infected with a click fraud trojan” you will most probably get a answer like “WTF is click fraud?!?” and even if you explain the situation to him I’m pretty sure you will get an answer like “Well I don’t care, I hate online advertisements anyway. They only distract me when I’m surfing on porn sites… *erm* when I’m doing online shopping”.

Still, I’m not surprised that there are botnets out there that are even bigger than TDSS/TDL:

The chart above shows a botnet that is called Artro. It is also known as “The advertisement botnet” (Kaspersky) or Renos/CodecPack. It is 1,5 times bigger than TDSS. However, Artro is also doing some click fraud stuff. I sinkholed the Artro botnet a year ago. Back then, the botnet had a size of 330’000 infected computers (of course within 24hrs)!

So I’m asking myself: Does this answer our question “How Big is Big”? If we are serious we can say that 330’000 infected computers is quite enough and really big. That’s nearly the same amount of computers as there are inhabitants in the largest Swiss city (Zurich).

What would you say if I told you that there is a botnet out there that is much bigger than the Artro botnet?

Some weeks ago I came across a huge botnet that was pretty unknown to me and that I never had heard of before. Doing some research I came to the conclusion that this trojan was known as Ponmocup. When I’ve started to sinkhole this botnet I was shocked as I saw that more than 1,2 million (yes, 1’200’000) unique IPs connected to my sinkhole just within 24 hours..

Probably most of you don’t even know Ponmocup, so you may ask yourself how this botnet became that big. Well you already answered this question: The criminal obviously managed to stay under the radar for months (maybe even years). I’m sure there are even more botnets out there (like Artro and Ponmocup) that are quite big and still under the radar of the AV-industry / infosec community.

*** Conclusion ***
We have learned that the botnet sizes doesn’t really matter. The criminals don’t need to have a big botnet to make a lot of money: It always depends on the business model the criminals wants to adopt (doing ebanking fraud, clickfraud or whatever).

But what do we have to do to mitigate these threats? My approach is to try to identify such botnets and sinkhole them. Doing so I’m able to collecting data from the connecting bots, which are being fed into the Shadowserver Drone database. If you are an ISP, a company or running your own network/AS you can obtain free-of-charge Drone feed from Shadowserver for your AS. This allows you to get informed about infected computers within your network on a daily basis.

If you are an ISP/network owner I highly recommend you to subscribe to Shadowservers Drone feed (if you are not already subscribed).

You can subscribe and/or obtain more information about Shadowserver’s Reporting Service here:

Follow me on Twitter:

*** Further links ***