Backdoor Bulknet actively creates botnet

The company Dr. Web today announced that it is gaining control over the botnet, which was formed on the basis of distributed malicious malware BackDoor.Bulknet.739, infecting an average of 100 PCs hourly. Getting on a victim's computer, the Trojan helps hackers to send him hundreds of spam emails.

Among the victims BackDoor.Bulknet.739 mostly users in Italy, France, Turkey, USA, Mexico and Thailand, but the Russians could also fall under its scope.

First BackDoor.Bulknet.739 interested analysts in October 2012. Trojan was able to connect computers in a botnet and allows attackers to carry out mass spam mailings.


When launched, the Trojan on the infected computer is running a special module, unpacking Trojan downloader, then BackDoor.Bulknet.739 downloaded to the infected machine with malicious applications. In this case, the Trojan uses a highly original algorithm: it refers to the stored encrypted in her list of domain names and select one of them to download the spam module. In response BackDoor.Bulknet.847 gets the main web pages are on the Website and parses its HTML-structure to find the tag to insert a picture. The main module BackDoor.Bulknet.739 stored within such an image is encrypted and is designed for mass mailing messages by e-mail.

Addresses to send spam, template file outgoing messages and the configuration file BackDoor.Bulknet.739 receives from the remote server. To contact intruders BackDoor.Bulknet.739 uses binary protocol: it is able to perform a set of commands received from intruders, especially the command to update, download new samples of letters, a list of addresses to send spam, or a directive stopping distribution. In the case of self-denial Trojan can send a specially crafted malicious report.

The specialists of Dr. Web managed to catch one of the botnet control servers BackDoor.Bulknet.739 and collect some statistics. Thus, as of April 5, 2013 to the management server was connected about 7,000 boats, with their growth in the period from 2 to 5 April can be seen by the following chart:

Currently BackDoor.Bulknet.739 botnet continues to grow quite rapidly - on average hourly fixed infected about 100 computers. Most geographically widespread Trojan BackDoor.Bulknet.739 received in Italy, France, Turkey, USA, Mexico and Thailand. The smallest number of infected workstations registered in Australia and Russia.