Vol. 4 No. 1 (2018): Proceedings of Botconf 2018
Conference proceedings

Collecting Malicious Particles from Neutrino Botnets

PDF
  • Jakub Souček,
  • Jakub Tomanek,
  • Peter Kálnai
Jakub Souček
ESET
Jakub Tomanek
ESET
Peter Kálnai
ESET

Published 2018-12-10

Keywords

  • Neutrino Bot,
  • Kasidet,
  • Bot,
  • Botnet,
  • Reverse engineering

Copyright (c) 2018 Jakub Souček, Jakub Tomanek, Peter Kálnai (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Souček, J., Tomanek, J., & Kálnai, P. . (2018). Collecting Malicious Particles from Neutrino Botnets. The Journal on Cybercrime and Digital Investigations, 4(1), 17-32. https://doi.org/10.18464/cybin.v4i1.22

Download Citation

Abstract

Neutrino Bot (also known and detected as Win/Kasidet) is a rapidly changing threat. It first became known around December 2013. It has been actively developed ever since resulting in version 5.4 at the very beginning of 2018. It is being sold for an attractive price to a large variety of cybercriminals.
This paper shows an extensive summary of the history of the bot while focusing on the most recent versions. It presents methods how to analyse Neutrino botnets and provides key findings that have been discovered during the year 2018.

 
PDF

References

  1. Malware don’t need coffee, “Neutrino Bot (aka MS:Win32/Kasidet),” June 2014. https://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html.
  2. “ESET GitHub, SHA-256 hashes of Neutrino Bot files.” https://github.com/eset/malwareioc/tree/master/kasidet.
  3. S. Yunakovsky, “Jimmy Nukebot: from Neutrino with love,” tech. rep., Kaspersky lab, August 2017. https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/.
  4. V. Tom, “Kasidet POS malware spread through fake security update,” tech. rep., ThreatSTOP, June 2017. https://blog.threatstop.com/kasidet-pos-malware-spread-through-fake-security-update.
  5. S. Yunakovsky, “Neutrino modification for POS-terminals,” tech. rep., Kaspersky lab, June 2017. https://securelist.com/neutrino-modification-for-pos-terminals/78839/.
  6. Wikipedia. https://en.wikipedia.org/wiki/Luhn_algorithm.
  7. Y. Oyama, “Investigation of the Diverse Sleep Behavior of Malware,” Journal of Information Processing, vol. 26, pp. 461–476, June 2018. https://www.jstage.jst.go.jp/article/ipsjjip/26/0/26_461/_pdf/char/en.
  8. P. Kálnai and M. Poslušný, “Browser Attack Points Still Abused by Banking Trojans,” tech. rep., Virus Bulletin, 2017. https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2017-Kalnai-Poslusny.pdf.
  9. P. Kálnai and M. Poslušný, “Browser Attack Points Still Abused by Banking Trojans - 2018 update,” tech. rep., Virus Bulletin, 2018. https://www.virusbulletin.com/blog/2018/07/vb2017-paper-and-update-browserattack-points-still-abused-banking-trojans/.
  10. O. Kubovic, “Ammyy Admin compromised with malware again; World Cup used as cover,” tech. rep., ESET, July 2018. https://www.welivesecurity.com/2018/07/11/ammyy-admin-compromised-malware-world-cupcover/.
  11. “TinyNuke.” https://github.com/rossja/TinyNuke/blob/master/Bot/WebInjects.cpp.