Trojan in Counterfeit Copies of Windows 7 Builds Botnet


This latest mass infection is through a vector I really don’t understand, see as though you can legitimately download Windows 7 from Microsoft.

I guess people just prefer BitTorrent downloads to HTTP downloads, and whoever had this smart idea capitalized on that.

Microsoft should perhaps do something about that and put out a legitimate BitTorrent copy. I guess the problem is updates, once it’s out there and people are seeding it’s out there for good and it’s not necessarily the latest build.

A Trojan buried within counterfeit copies of Windows 7 RC was used to build a botnet of compromised PCs.

The tactic emerged after researchers from security firm Damballa shut down the command and control servers used to control the system, reckoned to have drafted thousands of Windows PCs into its compromised ranks. Damballa reckons malicious hackers distributed the malware by hiding it within counterfeit copies of pre-release versions of Microsoft’s next operating system on offer through BitTorrent.

Damballa reckons that the pirated package was released around 24 April. By 10 May, when security researchers effectively curtailed the operation, as many as 552 new users were becoming infected per hour as a result of the attack.

It seems like the infection rate for this trojan has been pretty sharp, with 552 new users per hour that’s over 13,000 new infections per day adding up to almost 100,000 in one week.

The Command and Control center for the botnet has been taken offline though on May 10th so it’s rendered pretty useless since then.

I guess they should have built a more robust control mechanism like Conficker.

“Since the pirated package was released on 24 April, my best guess is that this botnet probably had at least 27,000 successful installs prior to our takedown of its CnC [command and control] on 10 May,” Tripp Cox, vice president of engineering at Damballa, told eWeek.

Since Damballa’s intervention, users installing the pirated version of Windows 7 RC are outside the control of the botmaster hackers running the attack. However, users who were compromised prior to 10 May remain within the ranks of the zombie drones controlled by the unidentified hackers.

Trend Micro identifies the Trojan featured in the attack as DROPPER-SPX.

Burying backdoors in counterfeit code is a popular tactic among crackers witnessed many times over the years with pirated copies of Microsoft applications and, more recently, with pirated versions of iWork ’09 for Apple Mac machines. In the case of the latest attack, prospective Windows 7 RC users get infected before they have a chance to install anti-virus tools, many of which are yet to support Windows 7 anyway.

You can check out the details on Trend Micro blog here.

If you want to get hold of Windows 7 you can just go directly to the Microsoft site here.

Source: The Register

Posted in: Malware, Windows Hacking

, , ,


Latest Posts:


HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.
trident - Automated Password Spraying Tool trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed on multiple cloud providers and provides advanced options around scheduling
tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.


2 Responses to Trojan in Counterfeit Copies of Windows 7 Builds Botnet

  1. Dazza May 17, 2009 at 2:30 am #

    The biggest problem is that many people are having difficulty downloading the Windows 7 RC from Microsofts site.
    I myself have unsuccessfully downloaded Windows 7 a total of 6 times, from 3 different computers, 3 different ip address etc.
    98%, 99%, 100% – This file is currupt blah blah, and their downloader deletes the file!
    (It appears to be a problem with the downloader, not the actual Win 7 image) – Apparently if you roll back java versions and run software thats not updated , it works, BUT why should you have to jump through hoops to download a demo!
    Anyway, I downloaded through a Torrent, verified the file with original specs and it worked first time, quickly and efficiently. I used the number given by MS and its a go.

  2. Jessen May 18, 2009 at 3:24 pm #

    Before the RC came out, Microsoft has shut down Windows 7 download but I guess now they’re opening the download again and force us to download from them.