Trojan in Counterfeit Copies of Windows 7 Builds Botnet


This latest mass infection is through a vector I really don’t understand, see as though you can legitimately download Windows 7 from Microsoft.

I guess people just prefer BitTorrent downloads to HTTP downloads, and whoever had this smart idea capitalized on that.

Microsoft should perhaps do something about that and put out a legitimate BitTorrent copy. I guess the problem is updates, once it’s out there and people are seeding it’s out there for good and it’s not necessarily the latest build.

A Trojan buried within counterfeit copies of Windows 7 RC was used to build a botnet of compromised PCs.

The tactic emerged after researchers from security firm Damballa shut down the command and control servers used to control the system, reckoned to have drafted thousands of Windows PCs into its compromised ranks. Damballa reckons malicious hackers distributed the malware by hiding it within counterfeit copies of pre-release versions of Microsoft’s next operating system on offer through BitTorrent.

Damballa reckons that the pirated package was released around 24 April. By 10 May, when security researchers effectively curtailed the operation, as many as 552 new users were becoming infected per hour as a result of the attack.

It seems like the infection rate for this trojan has been pretty sharp, with 552 new users per hour that’s over 13,000 new infections per day adding up to almost 100,000 in one week.

The Command and Control center for the botnet has been taken offline though on May 10th so it’s rendered pretty useless since then.

I guess they should have built a more robust control mechanism like Conficker.

“Since the pirated package was released on 24 April, my best guess is that this botnet probably had at least 27,000 successful installs prior to our takedown of its CnC [command and control] on 10 May,” Tripp Cox, vice president of engineering at Damballa, told eWeek.

Since Damballa’s intervention, users installing the pirated version of Windows 7 RC are outside the control of the botmaster hackers running the attack. However, users who were compromised prior to 10 May remain within the ranks of the zombie drones controlled by the unidentified hackers.

Trend Micro identifies the Trojan featured in the attack as DROPPER-SPX.

Burying backdoors in counterfeit code is a popular tactic among crackers witnessed many times over the years with pirated copies of Microsoft applications and, more recently, with pirated versions of iWork ’09 for Apple Mac machines. In the case of the latest attack, prospective Windows 7 RC users get infected before they have a chance to install anti-virus tools, many of which are yet to support Windows 7 anyway.

You can check out the details on Trend Micro blog here.

If you want to get hold of Windows 7 you can just go directly to the Microsoft site here.

Source: The Register

Posted in: Malware, Windows Hacking

, , ,


Latest Posts:


Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.


2 Responses to Trojan in Counterfeit Copies of Windows 7 Builds Botnet

  1. Dazza May 17, 2009 at 2:30 am #

    The biggest problem is that many people are having difficulty downloading the Windows 7 RC from Microsofts site.
    I myself have unsuccessfully downloaded Windows 7 a total of 6 times, from 3 different computers, 3 different ip address etc.
    98%, 99%, 100% – This file is currupt blah blah, and their downloader deletes the file!
    (It appears to be a problem with the downloader, not the actual Win 7 image) – Apparently if you roll back java versions and run software thats not updated , it works, BUT why should you have to jump through hoops to download a demo!
    Anyway, I downloaded through a Torrent, verified the file with original specs and it worked first time, quickly and efficiently. I used the number given by MS and its a go.

  2. Jessen May 18, 2009 at 3:24 pm #

    Before the RC came out, Microsoft has shut down Windows 7 download but I guess now they’re opening the download again and force us to download from them.