The ‘advertising’ botnet

Jump to navigation Jump to search

(Publication) Google search: [1]

The ‘advertising’ botnet
Artro securelist advertising.png
Botnet Artro
Malware CodecPack, New_bb, BannerBot, PopupBot, HitBot, Oms
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2011 / 20 apr 2011
Editor/Conference Kaspersky lab
Link Advertising Botnet (Archive copy)
Author Maria Garnaeva, Alexei Kadiev


Bots belonging to the Artro botnet are detected by Kaspersky Lab products as Trojan-Downloader.Win32.CodecPack, which has been around since early 2008. However, a full description of its functionality is still not available, so to rectify this, we decided to publish the results of a study we undertook.

The downloader

The Artro botnet was created using a Trojan downloader that is detected by Kaspersky Lab as Trojan-Downloader.Win32.CodecPack. The Trojan is protected by a packer with heavily obfuscated code. As a rule, packers are used to prevent the detection of a packed malicious program rather than to protect its code from analysis, and this piece of malware is no exception: unpacking it is a relatively easy task. When unpacked, the WinMain function of different Trojans usually looks more or less the same. In this case, however, the malware authors tried to obfuscate their code by inserting large numbers of superfluous instructions in order to make the code harder to analyze.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR918,
   editor = {Kaspersky lab},
   author = {Maria Garnaeva, Alexei Kadiev},
   title = {The ‘advertising’ botnet},
   date = {20},
   month = Apr,
   year = {2011},
   howpublished = {\url{}},