Software company "Dr. Web" announced about the spread of the virus Win32.Rmnet.12. The botnet, which was created by this malware, consists of 1,400,520 Windows devices.
Experts call Win32.Rmnet.12 a complex multicomponent file virus with the ability of self-replication without user's intervention. Affecting the system, the malware finds the browser used by default and embeds itself in its processes. After that it saves a hidden file in user’s startup folder, using a name generated from the name of the hard drive. A configuration file, which records all the data required for work, is created in the same folder.
Using a special algorithm the virus determines the name of the C&C server and connects to it.
“Dr. Web” experts state that the virus contains a backdoor module. Every 70 seconds this module sends requests for such sites as google.com, bing.com and yahoo.com, analyzing the speed of answers that were received. After that all the information is transmitted to C&C server via FTP protocol. The backdoor is capable of performing all the commands received from the C&C server, including download and execution of files, update and transmission of any information, and even the crash down of the operating system.
The virus spreads via network using two methods. Firstly, the malware exploits vulnerabilities in browsers. This allows to store and run the executable files, when the users visit specially crafted web-pages. Secondly, Win32.Rmnet.12 infects all .exe-files on the computer and copies itself to thumb drives.
“Doctor Web” claims that it gained the complete control over the botnet Win32.Rmnet.12. The experts examined the protocol which was used for data exchange between the infected machines and C&C servers, and applied the sinkhole-method, which was also used to study the Flashback botnet.
The majority of systems infected by Win32.Rmnet.12 is located in Indonesia - 320,014, which accounts for 27,12% of all botnet hosts. Number of bots in Russia is 43,153, i.e. 3.6% of all botnet hosts.
|
Security Bulletins
Latest Malware Updates
Downloader.Busadom!g102/27/2015Infostealer.Posteal02/26/2015Downloader.Busadom02/26/2015Trojan.Ladocosm02/26/2015SONAR.SuspDocRun02/25/2015SONAR.SuspHelpRun02/25/2015W32.Tempedreve.D!inf02/25/2015SONAR.PUA!AlnadInsta02/25/2015SONAR.Infostealer!g502/25/2015SONAR.Infostealer!g402/25/2015 |
2012-04-18
"Dr. Web" informed about a botnet with 1,5 million hosts(c) Naked Security |
Security Advisories Database
Remote Code Execution Vulnerability in Microsoft OpenType Font DriverA remote attacker can execute arbitrary code on the target system. 07/21/2015Multiple Vulnerabilities in Linux kernel03/04/2015SQL Injection Vulnerability in PiwigoSQL inection vulnerability has been discovered in Piwigo. 02/05/2015Cross-site Scripting Vulnerability in DotNetNukeA cross-site scripting (XSS) vulnerability has been discovered in DotNetNuke. 02/05/2015Cross-site Scripting Vulnerability in Hitachi Command SuiteA cross-site scripting vulnerability was found in Hitachi Command Suite. 02/02/2015Denial of service vulnerability in FreeBSD SCTP RE_CONFIG Chunk HandlingAn attacker can perform a denial of service attack. 01/30/2015Denial of service vulnerability in Apache Traffic Server HTTP TRACE Max-ForwardsAn attacker can perform a denial of service attack. 01/30/2015Denial of service vulnerability in MalwareBytes Anti-Exploit "mbae.sys"An attacker can perform a denial of service attack. 01/30/2015Denial of service vulnerability in Linux Kernel spliceAn attacker can perform a denial of service attack. 01/29/2015Denial of service vulnerability in Python Pillow Module PNG Text Chunks DecompressionAn attacker can perform a denial of service attack. 01/20/2015 |
