Trojan in Counterfeit Copies of Windows 7 Builds Botnet


This latest mass infection is through a vector I really don’t understand, see as though you can legitimately download Windows 7 from Microsoft.

I guess people just prefer BitTorrent downloads to HTTP downloads, and whoever had this smart idea capitalized on that.

Microsoft should perhaps do something about that and put out a legitimate BitTorrent copy. I guess the problem is updates, once it’s out there and people are seeding it’s out there for good and it’s not necessarily the latest build.

A Trojan buried within counterfeit copies of Windows 7 RC was used to build a botnet of compromised PCs.

The tactic emerged after researchers from security firm Damballa shut down the command and control servers used to control the system, reckoned to have drafted thousands of Windows PCs into its compromised ranks. Damballa reckons malicious hackers distributed the malware by hiding it within counterfeit copies of pre-release versions of Microsoft’s next operating system on offer through BitTorrent.

Damballa reckons that the pirated package was released around 24 April. By 10 May, when security researchers effectively curtailed the operation, as many as 552 new users were becoming infected per hour as a result of the attack.

It seems like the infection rate for this trojan has been pretty sharp, with 552 new users per hour that’s over 13,000 new infections per day adding up to almost 100,000 in one week.

The Command and Control center for the botnet has been taken offline though on May 10th so it’s rendered pretty useless since then.

I guess they should have built a more robust control mechanism like Conficker.

“Since the pirated package was released on 24 April, my best guess is that this botnet probably had at least 27,000 successful installs prior to our takedown of its CnC [command and control] on 10 May,” Tripp Cox, vice president of engineering at Damballa, told eWeek.

Since Damballa’s intervention, users installing the pirated version of Windows 7 RC are outside the control of the botmaster hackers running the attack. However, users who were compromised prior to 10 May remain within the ranks of the zombie drones controlled by the unidentified hackers.

Trend Micro identifies the Trojan featured in the attack as DROPPER-SPX.

Burying backdoors in counterfeit code is a popular tactic among crackers witnessed many times over the years with pirated copies of Microsoft applications and, more recently, with pirated versions of iWork ’09 for Apple Mac machines. In the case of the latest attack, prospective Windows 7 RC users get infected before they have a chance to install anti-virus tools, many of which are yet to support Windows 7 anyway.

You can check out the details on Trend Micro blog here.

If you want to get hold of Windows 7 you can just go directly to the Microsoft site here.

Source: The Register

Posted in: Malware, Windows Hacking

, , ,


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


2 Responses to Trojan in Counterfeit Copies of Windows 7 Builds Botnet

  1. Dazza May 17, 2009 at 2:30 am #

    The biggest problem is that many people are having difficulty downloading the Windows 7 RC from Microsofts site.
    I myself have unsuccessfully downloaded Windows 7 a total of 6 times, from 3 different computers, 3 different ip address etc.
    98%, 99%, 100% – This file is currupt blah blah, and their downloader deletes the file!
    (It appears to be a problem with the downloader, not the actual Win 7 image) – Apparently if you roll back java versions and run software thats not updated , it works, BUT why should you have to jump through hoops to download a demo!
    Anyway, I downloaded through a Torrent, verified the file with original specs and it worked first time, quickly and efficiently. I used the number given by MS and its a go.

  2. Jessen May 18, 2009 at 3:24 pm #

    Before the RC came out, Microsoft has shut down Windows 7 download but I guess now they’re opening the download again and force us to download from them.