Digging into the Nitol DDoS botnet

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Digging into the Nitol DDoS botnet
Digging into the Nitol DDoS botnet.png
Botnet Nitol
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / Thursday, April 19, 2012
Editor/Conference McAfee
Link http://blogs.mcafee.com/mcafee-labs/digging-into-the-nitol-ddos-botnet (Archive copy)
Author Itai Liba
Type

Abstract

Nitol is a distributed denial of service (DDoS) botnet that seems to be small and not widely known. It mostly operates in China. McAfee Labs recently analyzed a few samples; we offer here the communications protocol and the Trojan’s capabilities.

Most of the samples we encountered were not packed and were very easy to reverse engineer. The Trojan was written in Visual C++ either in a hurry or by an untrained programmer. We found a lot of bugs in the code. Nitol copies itself to a random filename ******.exe (where every * is a randomized alphabet character) in the Program Files directory. The new file is registered as a service, “MSUpdqteeee,” with the display name “Microsoft Windows Uqdatehwh Service.”

Bibtex

 @misc{Liba2012BFR992,
   editor = {McAfee},
   author = {Itai Liba},
   title = {Digging into the Nitol DDoS botnet},
   date = {19},
   month = Apr,
   year = {2012},
   howpublished = {\url{http://blogs.mcafee.com/mcafee-labs/digging-into-the-nitol-ddos-botnet}},
 }