Microsoft conducted a study code Nitol

Posted: October 17, 2012 in IT Security News
Tags: , , , ,

MicrosoftNitol botnet distributed with the downloadable file that contains the DLL module.

Microsoft has conducted an analysis of the source code botnet Nitol, whose work was recently stopped in Operation “Operation b70”. Recall that during the operation, employees uncovered a scheme in which the attackers spread the virus even at the stage of production of computers, and some buyers in China with pre-purchased equipment botnet client.

Expert analysis indicated that a family of viruses Nitol, probably part of the general class of instruments DDoS. Many variants of this virus contains elements copied from other malicious programs used for the organization of distributed denial of service attacks.

Most of the detected in the study of modifications Nitol has two main components: an executable loader and component libraries. When running on a system boot installs DLL, in most cases, removing it from its own resources, and sets it as a service or driver. Some library modules run immediately after installation by calling the main function of the DLL from the executables, and some run only after a reboot.

After starting the library component creates a thread and acts as a server, communicating with the command (C & C) server. The address of this server is usually written to a file loader, and 50% of the virus family Nitol connected to the sub-domain, that was disabled in the Microsoft Operation b70. C & C is usually obtained from a new botnet participant information such as the version of the operating system, CPU speed, RAM size, and geographic location of the infected machine.

Botnet operator can attack a certain web-resource, using methods such DDoS, as SYN-, UDP-, TCP-, HTTP-and ICMP-flood. To synchronize multiple botnet operator uses a simple token. Also, an attacker can transfer the entire botnet in “sleep mode”, in which the conduct of DDoS-attacks impossible.

In addition to conducting DDoS attacks Nitol botnet also allows owners to download and execute additional software and open web-page using Internet Explorer. Virus writers have also taken care of the mechanism of self-destruction, in which team C & C server, the client Nitol removed from the system.

Microsoft study available here.

Related post: Chinese laptops are sold with pre-installed viruses

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s