It has been confirmed that botnets no longer have to run on systems that attackers own or have compromised, as the controllers are now running botnets on Skype and other cloud-based chat programs, providing an even lower-cost alternative for attackers according to PhishMe.
Speaking about the discovery, Ronnie Tokazowski – Senior Researcher at PhishMe advised, “We all remember analyzing samples of IRC botnets that were relatively simple, where the malware would connect to a random port running IRC, joining the botnet and waiting for commands from their leader. In this day and age, it’s slightly different.”
One user at PhishMe received the following message over Skype, where the “user” sent several attempts for a phone call to them:
The attacker called with a username that also contained a link to a domain, www.viewror[d]com. Once clicked, a voice directs the user to click the download link and install a “proprietary” video player in order to play the video. Examining the underlying HTML in the download page, Ronnie established that the download was part of an affiliate program where the attacker is probably getting money on a per-install or per-download basis.
Ronnie continues, “Once the executable is opened, it asks to run as administrator. As any user would do…just push play! The user is presented with a screen to install different aspects of the program. Once we are given it the option to start installing, VideoPlayer.exe downloads, installs, and runs many different things. All of these are pieces of adware being installed to the system One of the final steps is to install “Search Protect”, a very shady application that gives you “protected” searches. The malware does download a “proprietary” media player, called Media Player Classic, but there is nothing proprietary about the media player, which is available for free download online.”
By looking at the Skype username, there are two fields that are present, the name and description. One of the even cooler things is that you can search by name in Skype. By scrolling through the list of bots, we can gather a list of domains the attackers are using. So how do you attack this long list of bot names being used for badness? You pass it over to the security folks”
In the case of these attacks, PhishMe worked with the Amazon and Microsoft security teams to disrupt the attackers activities and infrastructure – both were very helpful.
Ronnie concludes, “When users are trained to spot suspicious things, the amount of information you can get back increases 100 fold. And in this case, the user reported a small piece of information, which resulted in the disruption of a large adware campaign, on both the infrastructure and bot side of things.”