Vol. 4 No 1 (2018): Actes de Botconf 2018
Conference proceedings

Collecting Malicious Particles from Neutrino Botnets

Jakub Souček
ESET
Jakub Tomanek
ESET
Peter Kálnai
ESET

Publiée 2018-12-10

Mots-clés

  • Neutrino Bot,
  • Kasidet,
  • Bot,
  • Botnet,
  • Reverse engineering

Comment citer

Souček, J., Tomanek, J., & Kálnai, P. . (2018). Collecting Malicious Particles from Neutrino Botnets. Le Journal De La Cybercriminalité Et Des Investigations Numériques, 4(1), 17-32. https://doi.org/10.18464/cybin.v4i1.22

Télécharger la référence bibliographique

Résumé

Neutrino Bot (also known and detected as Win/Kasidet) is a rapidly changing threat. It first became known around December 2013. It has been actively developed ever since resulting in version 5.4 at the very beginning of 2018. It is being sold for an attractive price to a large variety of cybercriminals.
This paper shows an extensive summary of the history of the bot while focusing on the most recent versions. It presents methods how to analyse Neutrino botnets and provides key findings that have been discovered during the year 2018.

 

Références

  1. Malware don’t need coffee, “Neutrino Bot (aka MS:Win32/Kasidet),” June 2014. https://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html.
  2. “ESET GitHub, SHA-256 hashes of Neutrino Bot files.” https://github.com/eset/malwareioc/tree/master/kasidet.
  3. S. Yunakovsky, “Jimmy Nukebot: from Neutrino with love,” tech. rep., Kaspersky lab, August 2017. https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/.
  4. V. Tom, “Kasidet POS malware spread through fake security update,” tech. rep., ThreatSTOP, June 2017. https://blog.threatstop.com/kasidet-pos-malware-spread-through-fake-security-update.
  5. S. Yunakovsky, “Neutrino modification for POS-terminals,” tech. rep., Kaspersky lab, June 2017. https://securelist.com/neutrino-modification-for-pos-terminals/78839/.
  6. Wikipedia. https://en.wikipedia.org/wiki/Luhn_algorithm.
  7. Y. Oyama, “Investigation of the Diverse Sleep Behavior of Malware,” Journal of Information Processing, vol. 26, pp. 461–476, June 2018. https://www.jstage.jst.go.jp/article/ipsjjip/26/0/26_461/_pdf/char/en.
  8. P. Kálnai and M. Poslušný, “Browser Attack Points Still Abused by Banking Trojans,” tech. rep., Virus Bulletin, 2017. https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2017-Kalnai-Poslusny.pdf.
  9. P. Kálnai and M. Poslušný, “Browser Attack Points Still Abused by Banking Trojans - 2018 update,” tech. rep., Virus Bulletin, 2018. https://www.virusbulletin.com/blog/2018/07/vb2017-paper-and-update-browserattack-points-still-abused-banking-trojans/.
  10. O. Kubovic, “Ammyy Admin compromised with malware again; World Cup used as cover,” tech. rep., ESET, July 2018. https://www.welivesecurity.com/2018/07/11/ammyy-admin-compromised-malware-world-cupcover/.
  11. “TinyNuke.” https://github.com/rossja/TinyNuke/blob/master/Bot/WebInjects.cpp.