Harnig botnet: a retreating army

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Harnig botnet: a retreating army
Botnet Harnig, Piptea, SpyEye, Zbot, Ertfor
Botnet/malware group
Exploit kits
Feature Pay-per-install
Distribution vector
Operation/Working group
Date 2011 / 2011-03-22
Editor/Conference FireEye
Link https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html (Archive copy)
Author Atif Mushtaq
Type Blogpost


Rustock is not the only botnet which suffered from the recent take down by Microsoft. It appears that Harnig (a.k.a Piptea), a close relative to Rustock, is retreating as well. There is no evidence that someone is trying to shutdown Harnig. It looks like a decision made solely by the bot herders. Why? I'll talk about it shortly.

Harnig is considered to be a very wide spread pay per install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system. In return for this favor, the owners of other malware families pay the bot herders a little sum, normally a few cents per machine. When it comes to pay per install networks, the type and amount of malware being dropped can't easily be determined. What matters is, who and when someone is paying the bot herders. But things between Harnig and Rustock were quite different. There has been a long term relationship between the Harnig and Rustock botnets. For the last 2 years or so, Rustock has almost always been seen being spread through Harnig. Very rarely will one see Rustock using some other infection vector or pay per install network to propagate itself.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR1555,
   editor = {FireEye},
   author = {Atif Mushtaq},
   title = {Harnig botnet: a retreating army},
   date = {22},
   month = Mar,
   year = {2011},
   howpublished = {\url{https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html}},