14 May 2009 | 22,263 views

Trojan in Counterfeit Copies of Windows 7 Builds Botnet

Prevent Network Security Leaks with Acunetix

This latest mass infection is through a vector I really don’t understand, see as though you can legitimately download Windows 7 from Microsoft.

I guess people just prefer BitTorrent downloads to HTTP downloads, and whoever had this smart idea capitalized on that.

Microsoft should perhaps do something about that and put out a legitimate BitTorrent copy. I guess the problem is updates, once it’s out there and people are seeding it’s out there for good and it’s not necessarily the latest build.

A Trojan buried within counterfeit copies of Windows 7 RC was used to build a botnet of compromised PCs.

The tactic emerged after researchers from security firm Damballa shut down the command and control servers used to control the system, reckoned to have drafted thousands of Windows PCs into its compromised ranks. Damballa reckons malicious hackers distributed the malware by hiding it within counterfeit copies of pre-release versions of Microsoft’s next operating system on offer through BitTorrent.

Damballa reckons that the pirated package was released around 24 April. By 10 May, when security researchers effectively curtailed the operation, as many as 552 new users were becoming infected per hour as a result of the attack.

It seems like the infection rate for this trojan has been pretty sharp, with 552 new users per hour that’s over 13,000 new infections per day adding up to almost 100,000 in one week.

The Command and Control center for the botnet has been taken offline though on May 10th so it’s rendered pretty useless since then.

I guess they should have built a more robust control mechanism like Conficker.

“Since the pirated package was released on 24 April, my best guess is that this botnet probably had at least 27,000 successful installs prior to our takedown of its CnC [command and control] on 10 May,” Tripp Cox, vice president of engineering at Damballa, told eWeek.

Since Damballa’s intervention, users installing the pirated version of Windows 7 RC are outside the control of the botmaster hackers running the attack. However, users who were compromised prior to 10 May remain within the ranks of the zombie drones controlled by the unidentified hackers.

Trend Micro identifies the Trojan featured in the attack as DROPPER-SPX.

Burying backdoors in counterfeit code is a popular tactic among crackers witnessed many times over the years with pirated copies of Microsoft applications and, more recently, with pirated versions of iWork ’09 for Apple Mac machines. In the case of the latest attack, prospective Windows 7 RC users get infected before they have a chance to install anti-virus tools, many of which are yet to support Windows 7 anyway.

You can check out the details on Trend Micro blog here.

If you want to get hold of Windows 7 you can just go directly to the Microsoft site here.

Source: The Register



Recent in Malware:
- Twitter Patents Technique To Detect Mobile Malware
- ParanoiDF – PDF Analysis & Password Cracking Tool
- Windows Registry Infecting Malware Has NO Files

Related Posts:
- Facebook Used By Whitewell Trojan To Communicate
- Trojan Mimicks Windows Activation Interface – KardPhisher
- Up to a Quarter of Internet Connected Machines Could be Zombies

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,326 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,473 views
- US considers banning DRM rootkits – Sony BMG - 44,933 views

Low-cost VPS Hosting

2 Responses to “Trojan in Counterfeit Copies of Windows 7 Builds Botnet”

  1. Dazza 17 May 2009 at 2:30 am Permalink

    The biggest problem is that many people are having difficulty downloading the Windows 7 RC from Microsofts site.
    I myself have unsuccessfully downloaded Windows 7 a total of 6 times, from 3 different computers, 3 different ip address etc.
    98%, 99%, 100% – This file is currupt blah blah, and their downloader deletes the file!
    (It appears to be a problem with the downloader, not the actual Win 7 image) – Apparently if you roll back java versions and run software thats not updated , it works, BUT why should you have to jump through hoops to download a demo!
    Anyway, I downloaded through a Torrent, verified the file with original specs and it worked first time, quickly and efficiently. I used the number given by MS and its a go.

  2. Jessen 18 May 2009 at 3:24 pm Permalink

    Before the RC came out, Microsoft has shut down Windows 7 download but I guess now they’re opening the download again and force us to download from them.