May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13

Ch10: Remote Access Trojans and Zombie Networks

Introduction to remote access trojans (RATs) and zombie networks

Remote access Trojans(RATs) is malware that provides hidden channel of remote assess to your computer administrator (or equivalent) account, much like VNC (on which many of them are based) or ssh or telnet.

Computer which has covert remote control installed and about the owner of the computer does not know is called zombie. The set of such computers controlled from a single center is called zombie network. Some publications suggest that there are millions of such computers in the world out of, say, a billion or two of PC users. This is a popular brand of malware with its own ecosystem that contain open source code that can serve as a template for new strains of malware (All copy and paste makes Jack a bored boy - Microsoft Malware Protection Center )

We recently came across what appeared to be a new sample, but was actually part of malware discovered in 2010. This new-old sample is built from publicly available source code and, like many of its kind, is frequently rebranded. Because of all the changes that malware authors have made, we have detection for each customized iteration. One such iteration (SHA1 8d81462089f9d1b4ec4c7423710cf545be2708e7) is commonly deployed under private obfuscators (such as H1N1 or Umbra). We detect this threat as TrojanSpy:Win32/SSonce.C(the sample also has a message for antivirus researchers, asserting that our job is monotonous and boring.)

Other backdoors that originate from the same source code are currently detected as Backdoor:Win32/Bezigate.A and Backdoor:Win32/Talsab.C, and Backdoor:Win32/Nosrawec.C. What we are seeing here is rampant use of copy/paste in the code. Because of this, all these spying families share common features, such as: reverse-connection to an attacker's server, plugins capable of file transfers, screen capture and anti-virus software disabling. Although the code is publicly available, there are some features, such as mouse/keyboard control, which are only available in private versions, as seen from the Facebook page of one of the authors.

The idea of hijacking somebody else computer to use as a storage or computational resource is as old as computing itself. Morris worm was the first computer worm that propagated from one Unix machine to another by exploiting vulnerabilities of Unix known at this time. Later there were several well publicized cases of oversees hackers trying to get access (and succeeding) at university and research networks. See for example:

Here is parody that I wrote about another overblown case (The Cuckoo's Egg. Softpanorama 91a (vol.9, No.2) March-April, 1997:

The Cuckoo's Egg by Cliff Stoll


Review picked up on the Internet
and adapted for
by Nikolai Bezroukov

The Cuckoo's Egg by Cliff Stoll is a book about a German student, a hacker actually. This hacker had a strange hobby breaking into military sites. Bad guys from KGB forced him to bring some US military documents. The hacker did not know that KGB guys already obtained everything they wanted using girls and vodka instead of Internet. These backward Russians usually rely on good old tricks. Anyway, even if they obtained something useful it was almost always lost in the huge bureaucratic machine KGB was, or left by drunken agents somewhere in the subway.

Cliff Stoll, an astronomer turned UNIX system administrator, (this kind of disaster happen with astronomers quite often nowadays) works at Lawrence Berkeley Lab. He was going over some accounting logs when he found a 75-cent accounting error (girls should beware dating former astronomers).

Cliff  discovered that the  hacker had broken into several of the lab serves and alerted the CIA/FBI. Since no one would listen to him because the hacker hadn't stolen more than a million dollars or "How to make an A-bomb" FAQ, he started his chaise of the hacker alone. Cliff hooked up his computer in such a way that every time the hacker logged into one of broken accounts, his beeper would ring. He tried to imitate Sherlock Holms and even get a logbook where he put all the information. But now when his PC was hooked he could not play Red Alert in his working hours anymore. That made him very uncomfortable and he tried to pursue the hacker with double energy forgetting all his other duties and responsibilities. 

But for some reason hacker just stop coming. But Cliff patiently waited and his patience was eventually rewarded. At last the hacker broke in again and tried to log on by using one of the old stolen passwords. This was the day Cliff was waiting for. The FBI/CIA was finally interested, but they only took information from Cliff, never giving any back. They never treated him well and Cliff was always left out in the cold in his own investigation. All this time Cliff had no choice but blindly follow their instructions. He felt like a pawn.

Since the hacker always tried to get documents from army bases, Cliff made up hundreds of fake military documents and planted them in the computers in the lab. Imitating military documents was a pretty dull job,  as most of them are usually so stupid. But Cliff was diligent and worked around the clock. Some of these documents were actually much better than the real. Poor former astronomer did not realize that CIA penetrated and manipulated KGB on such a massive scale that all the mess was probably initiated by CIA request to get some additional funding from the Congress.

The hacker was delighted to get Cliff's documents as now he was free to break into something more interesting then military sites and sent Cliff a thank you letter. Unfortunately, it was intercepted first by FBI and then, of course, had found its way to CIA. Bad guys from FBI/CIA were incensed that the hacker does not want to break into military sites anymore and decided to catch him no matter what. And they did.

All-in-all, he had spent the whole year chasing the hacker. With a miserable result of catching a kid in Germany instead of discovering his own planet. Tragically he was unable to go back to astronomy or even to UNIX system administration. All he wanted was to be interviewed or to chase other hackers. Basically he sacrificed for this moment of fake glory his love life and his job at the Lawrence Berkeley Lab. Now he was good only for interviews. He will never discover a new planet. His beeper always rang when he was with his girlfriend, and eventually she got really mad at him. His life and his career were ruined and out of desperation he became a security consultant.

The main idea of the book is that every time the hacker breaks into the system, it is like a cuckoo laying an egg and leaving it to naive Unix administrators like Cliff to hatch: instead of closing the loophole and forgetting about the problem they can spend days and nights imitating Sherlock Holms. Few are good in this tricky "catch the perpetrator" business. And after hatching several eggs it's too easy to lose all your Unix qualification and turn into a security cuckoo who just give interview after interview about fake events and fake accomplishments. There is nothing more miserable or more useless then a former Unix system administrator who lost his qualification and turned into a security consultant. It's a dark side of the story.

On a positive side the book could serve as a warning for young people. It teaches us what could happen to young Unix administrators if they have too much zeal in chasing hackers instead of fixing the problem and moving on and, especially, in giving interviews about their fake accomplishments in this area. Like in stock trading, too much zeal in propagating fake facts make them no good. Just look at those poor CNBC talking heads. They look as sleazy as security consultants. Any intelligent Unix administrator knows that all this IT security business is to a large extent a self-serving sham. Those clueless and highly paid careerists deceive public and policymakers exaggerating both the necessity and value of their work. Like investment gurus defraud 401K investors and rich seniors by selling them crappy mutual funds or annuities they defraud rich and helpless old corporations with senile IT management into installing expensive but useless devices like ISS appliances which can never catch a frog to say nothing about hacker.  All they can do is to imitate their usefulness by producing glossy PDF reports about fake intrusions each month.

Anyway, you never know whether the author actually had written the book, whether events took place as described and who is who on the Internet.

In late 90th there was common understanding of vulnerability of Unix systems to several types of attacks. For example here is one interesting paper Infrastructure A Prerequisite for Effective Security by Bill Fithen, Steve Kalinowski, Jeff Carpenter, and Jed Pickel, CERT Coordination Center

The authors started their presentation with some scary data compiled by CERT. A 1997 survey shows that 50% of systems were not kept up to date with security patches after they were compromised. One site appeared in 35 incidents between 1997 and 1998; the site was used for password sniffing and probing of other sites in many of those cases. Ten of the 35 incidents involved root compromise of the host. In another break-in, 20-25 hosts were compromised. All of these systems needed to be rebuilt, but the site's administrator said that they didn't have enough resources to do so.

Tools like Satan emerged that provided a way to test your system against a set of  exploits. But this was by-and-large attempts without direct goal of getting financial gain.

Later in Windows world the idea of hijacking of somebody else computer became very popular in IRC network and later Kazaa file sharing network. So two types of rootkit were written to achieve that (Microosoft2012)

In late 90th many people realize that hijacked computer can be used for extracting direct financial gain. The initial idea of "financization" of hijacked computer and the rational behind creation of vast zombie networks was to send spam.  Sending spam is highly lucrative activity and the one for which having a network of computers belonging to legitimate users are ideal. Email send from such computer is more difficult to block for spam filters. If you have a capability of sending a message to hundreds of thousands people instantaneously some small percent, say 1% of recipients will react to it, whether it is irritation, anger, or curiosity. For 100K recipients 1% is 1000 people.  If 10% of those buy the product and your commission is $1 you got $100. For more targeted spam the figure can be much higher and you income can reach $1000. And that's in one day. So it should not surprise you that sophisticated spammers enjoy high monthly income which can reach, say, $50K a month. As spamming now is highly controlled with both technical and regulatory measures the only way to escape responsibility for sending  a huge volume of scam is using large network of zombies. If you have network of 100K zombies and want to send 100K spam messages then each computer needs to send just one email.   In this case you are guaranteed that mail will be send from a legit address and if you posses high level of sophistication as a spammer you subject line and set text of the body were already checked on typical spamfilter. So you can expect that very high percentage of those mails will be delivered. 

Later they also were used for launching denial of service attacks on gambling site sites. This was essentially an extortion business. As online gambling site will lose money if taken down even for a day they prefer to pay for protection.  A single denial-of-service attack on a gambling Web site can cost several thousand a day of lost profits.  Three Russian zombie network herders were  sentenced to eight years in prison after successfully extorting several gambling operators in the United Kingdom. The gang earned several million dollars before they were caught.

Tools for building such network emerged around 2005. I saw first "in the wild" infections in 2007 (W32/Sdbot-AAQ and Win32-Rbot). Later more powerful tools to create zombie networks were designed and deployed "in the wild". For example Conficker worm which specifically was designed for building a network of zombies:

The Conficker worm has grown to be one of the most technologically advanced and resilient botnets to date. While the initial worm variants, Conficker.A, Conficker.B and Conficker.B++, had a primary focus on spreading infection, the latest variant Conficker.C demonstrates a paradigm shift: moving away from overt infection tactics toward stealthly and robust operations. This paper will discuss the evolution of the Conficker malware family with special focus on the technological advancements in Conficker.C that have turned the millions of compromised machines from isolated infections to a collective of self-organizing peers capable of rapid malware distribution and resilient against infiltration of their communication paths.

Here is another recent one (Computerworld):

A new and improved botnet that has infected more than four million PCs is "practically indestructible," security researchers say. "TDL-4," the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is "the most sophisticated threat today," said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday. "[TDL-4] is practically indestructible," Golovanov said. Others agree.

And yet another one Virus gang warfare spills onto the Net   by Bob Sullivan

April 3, 2007 | 

The bot network industry is so profitable, and hijacked computers are so valuable, that rival gangs now fight over them. This digital gang warfare is not physically violent, but it certainly is no game. Bot herders steal each other's infected computers, fight off such raids, and often try to knock each other’s computers off-line. "They are cutthroat and competitive. They are in it to make a lot of money.... These guys are ruthless to begin with and don’t care who they hurt, as long as they get their dollars," said Jose Nazario, a security researcher at Arbor Networks.

The war has escalated to a level where bot herders must jealously guard their hijacked computers. In October, a yet-to-be-named Russian gang released a program called SpamThru that infected machines worldwide and quickly amassed an army of zombies nearly 100,000 strong, capable of sending out 1 billion messages each day.

To protect the investment, the malicious program actually included a stolen copy of the Kaspersky antivirus program, modified to stop all attacks but its own. SpamThru installed the anti-virus program on all infected computers, removing all other viruses. It even sent an infection rate report to the program’s author. The stolen antivirus software continues to defend SpamThru bots from other attacks to this day.

The foray into ad-hoc antivirus software is necessary because bot-herders now regularly train their armies against their rivals. When the Storm worm -- probably this year's biggest virus attack to date -- was released in January, it had a dual function. In addition to its spam functions, Storm-infected computers were instructed to attack Web sites run by the rival Russian Warezov gang, hitting sites with cryptic names like By taking those sites off line, rival spam networks were damaged. The sites had been set up as communications hubs for Warezov-hijacked computers.

The Storm attack was clearly designed to cripple a rival. “They were attacking sites that were known distributors of other bots,” said Joe Stewart a prominent antivirus researcher at SecureWorks Inc. Because the attack was hard-coded into the original Storm virus, no human intervention was required to enjoin the battle. "It is an automated war at this point ... on a massive scale,” Stewart said.

They're No. 1
Why the war? Because bot-masters have to advertise their services like any other industry. And like any business, each bot-herder wants to be able to claim they’re number one. "These guys are at this as a business, asking how can they maximize their profits. It is not unexpected that they will go to these measures," Stewart said. "We expect them to keep trying to one-up each other. They want to be the one that has the biggest botnet."

There is a lot of money at stake. A single denial-of-service attack on a gambling Web site can cost $50,000 a day, said Jose Nazario. Three Russian bot herders were recently sentenced to eight years in prison after successfully extorting several gambling operators in the United Kingdom. The gang earned “several million dollars before they were caught,” said Mikko Hypponen, a researcher with Finnish firm

With so much money on the line, bot herders are hardly above stealing from each other. "If it takes a week to get new 100,000 infections, or it takes an hour of to steal Bob's machines, what would you do?” Nazario said.

Bugs fixed 'faster than commercial software'
Bot authors steal each other’s bots in numerous ways. The most common: They attack vulnerabilities in the original bot software. That’s precisely the way virus writers attack Windows and other commercial software. In the classic example, the massive MyDoom virus in 2004 left an open back door on all infected machines for its author to install upgrades. But rivals gangs quickly found the back door, and took over the hijacked machines with a follow-on virus called "DoomJuice."

Once a previously hijacked computer is hijacked a second time, the thief moves quickly to disable previous bot software and shut out the first hijacker. Virtually all software, even hacker software, has flaws, Nazario said, so hackers regularly probe each other's tools for openings. Bot virus authors, meanwhile, react quickly when they find a flaw is being exploited and their investment is at risk. “Some of these bugs get are fixed faster than commercial software," Nazario said.

Vulture-like bot herders also poke around the Internet for infected but dormant hijacked computers, a process called “scavenging.” The attacks aren’t always designed to disable, says Andre Di Minoat, a researcher at The Shadowserver Foundation. Sometimes the battle is joined simply as a demonstration of force.

“(They try to) demo that their net is stronger than the other guy's net,” Di Minoat said. A massive attack on the core computers than run the Internet earlier this year may have been a similar demonstration. Last month, the Internet Corporation for Assigned Names and Numbers, which helps run those computers, speculated in a recent report that the attack was the work of a bot herder trying to close a sale by demonstrating the size and power of his army of hijacked computers.

This latest spate of bot wars is not the first time hacker gang warfare has spilled over into the Internet’s Main Street. In 2004, virus writers who authored malicious programs called Bagle, Netsky, and the aforementioned MyDoom traded insults while attacking computers. And many viruses have targeted, a Web site devoted to stopping spam.

But those battles were ultimately just noisy, public demonstrations. The bot wars of today are much more focused –- on the competition -- and much more automated. There is also much more at stake, as profits from spam and denial of service attacks soar. But there is one important thing each of these attacks have in common. The weapons in this war aren’t guns or knives, or even fists. The weapon is your computer. To learn more about the new, dramatic upswing of hijacked computers, click here. To see if your computer might be infected, run a free scan here.





Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy


War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes


Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law


Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

Copyright © 1996-2021 by Softpanorama Society. was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site


The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019