Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Ranieri Romera (Senior Threat Researcher)

    Last week, we talked about the Tequila botnet that was targeting Mexican users. Since our last post, there has been one big development—the botnet appears to have been taken down by the owners themselves.

    On Thursday (June 3, 2010), the botnet’s controllers sent out new instructions to all of the active bots. One of the effects of this was to stop all of the bots’ phishing attacks perhaps because our own post exposed all of the proxy servers and redirected the hosts used in those attacks.

    We were also able to find another botnet developed by the same person behind the Tequila botnet. This particular botnet, which we have called the Mariachi botnet, is not as feature rich as the Tequila botnet. It could be used to mount phishing attacks or to install software onto affected systems but those appear to have been its main capabilities.

    This Monday (June 7), however, both the Mariachi and Tequila botnets went offline after their command-and-control (C&C) servers were taken down. The Mariachi botnet’s C&C server appears to have been taken down by its hosting provider, Bluehost.


    Soon afterward, the Tequila botnet’s C&C server went offline as well.


    We have not seen any new activity out of either the Mariachi or the Tequila botnet since then although we are continuing to monitor the now-orphaned bots for any new activity.

    Once again, we express our thanks to Juan Castro of Trend Micro LAR for all the information he passed on about these botnets.

    Posted in Botnets | 1 TrackBack »

    We recently received a report of a new phishing attack that originated from Mexico. It takes advantage of the controversial news about an allegedly missing four-year-old girl, Paulette Gebara Farah, who was later found dead in her own bedroom.  Upon investigation, we found that this attack came from a Mexican botnet and that it was trying to steal banking/financial-related information from users.

    Online banking is widely used in Latin America, and this attack is another example of cybercriminals targeting the online banking community in an effort to extort money and sensitive financial information.

    Users who are following the said news may fall prey to this attack by visiting the page http://www.knijo.{BLOCKED}, which contains an article about Paulette and claims to show nude photos of her mother. When a user accesses this page, a fake dialog box pops up and requests the user to download and install Adobe Flash Player.

    Click for larger view Click for larger view

    Clicking Run leads to the download of the file video-de-la-mama-de-paulette.exe, which is actually the client program of a bot detected by Trend Micro as TSPY_MEXBANK.A.

    During our investigation, we were able to access the botnet’s command-and-control (C&C) interface and to learn about its management functions. We were able to enter the management interface and to see for ourselves the complete capabilities of this new botnet.

    Click for larger view Click for larger view

    The bot menu shows the total number of zombies and a list of the compromised computers. The list of zombies displays the ID number, name of the client, and the action executed on a bot. It has options to disable or enable a bot, to start netcat (a powerful networking utility that can be used as a backdoor) on a bot, and to remove the bot from the botnet.

    Click for larger view

    This newly discovered botnet has a fairly comprehensive feature set that can be compared with other older, more established botnet families. Each feature is placed in its own “module,” which the botnet herder can configure one by one.

    It should be no surprise that a pharming module is part and parcel of its available features. As can be seen in the screenshot of the phishing module, this particular botnet targets Mexican users, particularly PayPal’s local site and the largest bank in the country, Bancomer.

    Click for larger view

    Aside from this, the Tequila botnet can also download files from various malicious URLs, either via HTTP or FTP. Both ZBOT info stealers as well as FAKEAV malware have been spotted being dropped by this new family.

    However, consumers are not the only ones the cybercriminals behind this botnet are ripping off, the AdSense module allows a site to be repeatedly loaded along with that site’s advertisements. In effect, cybercriminals use this to raise the traffic to their own sites, increasing the payments made by advertising networks such as Google’s AdSense.

    Click for larger view

    In addition to being found on malicious websites, the Tequila botnet can also arrive via USB devices as well as via MSN Messenger. It sends messages that either contain the file itself (as an attachment of sorts) or links that go to copies of the malware.

    Click for larger view

    The location of the C&C server appears to be no longer available, in effect taking this particular botnet down. However, if the developer starts a new campaign and distributes new files, the number of bots may increase again, thus encouraging the developer to create new modules for the botnet in the future.

    Hat tip to Juan Castro of Trend Micro LAR for initially bringing this botnet to light.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice