Xpaj Botnet intercepts up to 87 million searches per year
(Publication) Google search: [1]
| Xpaj Botnet intercepts up to 87 million searches per year | |
|---|---|
| |
| Botnet | Xpaj |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2011 / 26 Aug 2011 |
| Editor/Conference | Symantec |
| Link | http://www.symantec.com/connect/blogs/xpaj-botnet-intercepts-87-million-searches-year (Archive copy) |
| Author | Gavin O Gorman |
| Type | |
Abstract
“ W32.Xpaj.B is one of the most complex and sophisticated file infectors Symantec has encountered. In an older blog post, Piotr Krysiuk calls it an “upper crust file infector.” He describes several different approaches that the infector uses to increase the difficulty in detecting infected samples. The techniques W32.Xpaj.B uses to conceal itself within an executable are far beyond the norm. Given this level of complexity, it was decided to analyze the threat in detail.
The analysis revealed IP addresses for the command & control (C&C) servers. Infected W32.Xpaj.B executables send a download request to these C&C servers. Analysis of the threat’s backend control infrastructure revealed more than just the data sent from the server to infected clients. The servers contained encrypted binary data, encryption keys, databases, and Web applications. These were all elements of what transpired to be a fraud operation spread over multiple computers hosted in several countries.
Reverse engineering the binary data, in conjunction with analyzing the Web applications, has built up a picture of a convoluted click-fraud scheme. The intricate details of how the fraud was implemented are fully described in the associated technical paper, W32.Xpaj.B: Making easy money from complex code [PDF]. An overview is presented here along with details of how widespread the threat was and how much money was earned.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR1050,
editor = {Symantec},
author = {Gavin O Gorman},
title = {Xpaj Botnet intercepts up to 87 million searches per year},
date = {26},
month = Aug,
year = {2011},
howpublished = {\url{http://www.symantec.com/connect/blogs/xpaj-botnet-intercepts-87-million-searches-year}},
}