A new year has broken - a new peer-to-peer botnet is on the rise. It shares some commonalities with the infamous Waledac bot that was taken down in a exemplary effort by Microsoft early last year. Although this new bot has a different code base, it uses the same spreading strategy and also seems to maintain a multi-relay (or peer-to-peer) infrastructure just like its predecessor. Our friends over at ShadowServer have posted an excellent blog entry about this new threat and how it relates to earlier bots.
We are currently analyzing the new family and can confirm peer-to-peer-like behavior. When started, the bot loads a list of 20 hard-coded peers. Each entry contains a unique ID, the peer's IP address and a TCP port it is listening on:
971e116b-1c78-4619-abb2-3467427b8861 69.96.23.0:80 d9d04244-2f07-464c-b5c9-ad78e6319546 69.204.140.0:80 89787e02-6de4-4385-ae5f-5eaca64a3fe0 112.204.169.0:80 ...
没有评论:
发表评论