FireEye: Harnig Botnet - A retreating army

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

FireEye: Harnig Botnet - A retreating army

Postby spamislame » Wed Mar 23, 2011 9:59 am

http://blog.fireeye.com/research/2011/0 ... -army.html

More great research from this team.

Apparently Harnig is responsible for *some* of the infections of Rustock.

Harnig is considered to be a very wide spread pay per install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system. In return for this favor, the owners of other malware families pay the bot herders a little sum, normally a few cents per machine.
...
Harnig --> Downloader.DigiPog (Rustock Installer in plain text)---> Rustock Spam Engine (semi-fake Password protected 'rar' file containing Rustock Driver file).

At FireEye labs, we monitor the activities of different botnets on a 24/7 basis. Around March 17th, I found that all of the Harnig's C&Cs suddenly stopped responding, returning '404 Not Found', to their zombies. The last time I saw Harnig successfully talking to its C&Cs was Mar 17th 12:45 PM PST. At that time, I saw it downloading different malware onto the infected machine including SpyEye, Zbot, Ertfor etc. but there is no movement after that at all.

The whole thing is worth a read, even for non-technical people.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: FireEye: Harnig Botnet - A retreating army

Postby meep » Wed Mar 23, 2011 12:46 pm

Thanks, I'll definitely read up on that one. "Harnig" is a new name for me at least.
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: FireEye: Harnig Botnet - A retreating army

Postby Red Dwarf » Wed Mar 23, 2011 3:32 pm

Very interesting. So Harnig is a downloader of trojans, one of which is the Rustock infection.
And Harnig stopped issuing commands from the C&Cs about the same time as the Rustock takedown.
But the stoppage was voluntary, since they have C&C's spread all over the globe, including lots in Russia.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: FireEye: Harnig Botnet - A retreating army

Postby spamislame » Thu Mar 24, 2011 9:24 am

Red Dwarf wrote:Very interesting. So Harnig is a downloader of trojans, one of which is the Rustock infection.
And Harnig stopped issuing commands from the C&Cs about the same time as the Rustock takedown.

Correct, but even more importantly: within a very short time of the Rustock C&C shutdowns.

Red Dwarf wrote:But the stoppage was voluntary, since they have C&C's spread all over the globe, including lots in Russia.

Correct.

FireEye are (along with Secureworks / Joe Stewart) the best botnet researchers I've ever seen. They aren't done with the research into this particular shutdown either.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: FireEye: Harnig Botnet - A retreating army

Postby Red Dwarf » Fri Mar 25, 2011 4:15 pm

I believe that the decision to drop the Pfizer scam on the same date was not coincidental but totally related, as I reported at

viewtopic.php?f=1&t=4114&start=30#p51435
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: FireEye: Harnig Botnet - A retreating army

Postby spamislame » Sat Mar 26, 2011 9:43 am

In my case it was Diploma spam. It has resumed normal volume today so whoever it is has found a new botnet for his purposes.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am


Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 1 guest