By Andrew Brandt
The program in question is called the ZombieM Bot Builder, which is used by the kind of upstanding citizens who spread Trojans in order to build up botnets — a collective of infected computers that can act as one entity. The creators of this program, an Argentinian group called Arhack, sell it for 180 euros. But don’t pull out your stolen credit cards just yet, because Arhack doesn’t take Visa: They sell this garbage exclusively via Western Union money transfer.
Well, someone has cracked both the earlier, 1.0 version of their bot generator and the latest, 2.0 version, and posted it online for other criminals — the cheap kind, who don’t have 180 euros to spare — to use. The cracked version lets you use all aspects of the program to generate bots and manage the botnet without the need for a customized username and password, which you would otherwise need in order to start up the program.
But there’s a hitch: Whenever you run the cracked version, it also installs Trojan-Backdoor-PoisonIvy, a different but equally nasty botnet Trojan. The backstabbing Trojan trifecta is in play.
Can I get a “ha ha”?
Like most PoisonIvy infections, the payload is a small executable in the user’s Temp folder. In this case, the 8704-byte PoisonIvy payload periodically checks in with m41k00l.no-ip.biz, which is an address used by a dynamic DNS service. At the moment, the IP address this domain points to belongs to a cable broadband ISP in Bogota, Colombia.
We’ve added detection for this PoisonIvy sample into our definitions, but I have to admit, it’s hard for me to feel all that good about removing Trojans which exclusively target criminals.
Looking at the claims Arhack makes about the ZombieMBot, there’s reason for some concern. The bot’s Web page claims the Trojan is capable of spreading itself via peer-to-peer file sharing networks, MSN messenger, removable media, and it can propagate over a network like a worm.
The program’s “About” dialog explains that, no, really, this is only a tool for use by administrators for the purpose of remote management. It’s hard to imagine the coder who wrote this dialog keeping a straight face, especially when the makers call themselves “Arhack” and host their malcode on their Web site, troyanosyvirus.com (That’s Spanish for Trojans and Virus).
The Web site even gives helpful compatibility and system requirement information.
The big danger here is that the product of this Trojan creation tool is out in the open, freely available for anyone to download and use. Fortunately for people on the receiving end of such a Trojan, the Trojans this tool is capable of building are so rudimentary that it only took the researcher working this project an hour to build detection into Webroot’s antimalware engine that can sniff out any ZombieMBot executable generated by the tool.
Meanwhile, if anyone in law enforcement from Argentina is paying attention, you might want to take a look at Arhack. Last year, Argentina ranked in a list of the 20 countries most affected by malicious computer activity. I find it hard to believe Arhack can operate their business in the open without anyone noticing.