This is the third blog in this series. The prior blogs describe how the cyber gang managed to gain access to many users’ machines using the Blackhole Exploit Kit.
In this blog we will discuss the Smoke Loader bot controller that was used to control the infected machines. We will examine its capabilities and show the importance of the bot controller as part of the entire cybercrime attack.
The Smoke Loader Bot Controller
Smoke Loader is a new bot controller that manages a user’s compromised PC. The developer of Smoke Loader offers several capabilities according to the user guide (translated from Russian):
- Sequentially load up to 10 different EXEs and launch them
- Geo-targeting (install for specific countries only)
- Ability to load files via URL
- Auto-start and covert operation (camouflage as a trusted process)
- Detailed stats in admin on the number of installs and launches
- Bot auto-update through the admin panel (locally and remotely)
- Bot loss prevention in case the domain is blocked
- Small loader size ~ 6-12 KB
- A “seller’s” version of the builder can be used (more precise stats)
- “Guest” access to the stats
- Easy to encrypt (no additional dlls, overlays, etc.)
The bot also collects users’ personal data from FTP clients, browsers, instants messaging, poker clients and mail clients:
Pricing (WMZ – Web Money):
- Loader only (non-resident version) – 150 WMZ
- Loader only (resident version) – 250 WMZ
- Grabber LITE – 100 WMZ **
- Grabber FULL – 150 WMZ **
- SOCKS-module – 50 WMZ (no back-connect) **
- Loader rebuild – 10 WMZ
- Updates: small fixes – free, others are agreed upon separately
- Custom grabber can be made for your needs
Once the malware is installed on a victim’s system, it communicates with its Command and Control Server. The manager of this scam collaborates with several cybercriminals who spread malware using their own unique methods. The bot reports the geographic location of the compromised machine to the Smoke Loader server.
To minimize the risk of detection, the Zeus Trojan is distributed only to infected systems located in the U.K.
- “Online Countries” indicates concurrent online bots, along with the country
- “Loads” indicates the summary of bots that download the Trojan (Zeus)
- “Runs” indicates the summary of bots that reported a successful execution
Using the control panel of Smoke Loader, the administrator sends the bots updated malware from time to time:
The screenshot above describes the capabilities of the Smoke Loader administrator to send the exact malware (Zeus Trojan) to the specific target PCs.
In the next blog and the most interesting one in the series, we will show how the cyber gang makes money of the infected machines. We will expose the art of the Trojan Bank operation end to end.