Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    A few days ago, I got access to the source code of the well-known Elite Loader for free. Yes. It was published on one of the Russian underground forums. It even had a detailed description and screenshots showing how to use the application’s command and control (C&C) server.

    Click for larger view Click for larger view
    Click for larger view Click for larger view

    Apart from dropping malicious files on infected machines, Elite Loader also allows malicious users to upload additional software to targeted systems to steal passwords or deploy spam or distributed denial of service (DDoS) modules that other cybercriminals can use.

    The bot’s C&C also contains siginificant statistics and makes use of a log-filtering feature to manage module downloads from the bots in different countries. It can also enable or disable target bots based on their location.

    The bot’s size is only 8kb, making the dropping process relatively hidden. The bot works perfectly well on the Microsoft XP Service Packs 1, 2, and 3 and Vista OSs and supports multiple job instances.

    The malware distribution business seems to have gone public. Elite Loader, for instance, was published by well-known Lonely Wolf—one of the moderators of the underground forum, DaMaGeLaB—with detailed instructions in the archive and even dedicated thread posts. This will make it easy even for script kiddies to create their own malicious code.

    Trend Micro detects the variants of the Elite Loader dropper as part of the DLOADER family of Trojans so product users need not worry about being infected. Trend Micro Smart Protection Network™ blocks the download of all malicious files and access to malicious URLs related to this bot.

    Non-Trend Micro product users who think their systems may have already been infected can clean their PCs using RUBotted.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • 0mf980tn3tk1ng

      First i want to say that damagelab isn´t an "underground forum". It´s publicy accessible for EVERYONE.
      Then you could point out that Elite Loader only was an marketing bot for the chimera botnet. If you look at the panel you notice it´s the same only some icons (and the corespendig files) are missing. And if you look in some reports there will be the name and even the website of the team.
      Then i highly doubt you got the source. You (like everyone else9 only got an binary builder. As an AV-lab you should know the difference.
      Oh and this bot even has an rootkit shipped as an .dll.

    • robert corlin

      Good Job!!


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice