Botnets on discount!

20/09/2011
G DATA Blog

We’ve encountered a bot sale, which, in case it finds followers, can cause a massive glut of malware all over. The so-called “Aldi Bot” first appeared in late August and has been sold for the initial price of €10! Parts of the bot’s code oddly look like ZeuS code…

The malware author, the name used makes us suspect it is a male author, announces his bot creation in the underground and explains that he likes coding and is not keen on making a lot of money. That would be the reason for the low price, he says. Accepted payment methods: paysafecard (with receipt) and Ukash. “I cannot guarantee that the stub you get is always FUD”, he says. This means that there is no guarantee for buyers that the program code remains undetected by AV products. And he is quite right – AV products are able to detect the bot.

The offer: 1 x Builder + stub + updates + installation assistance = €10 ***
This price even dropped down to €5, less than two weeks ago.

The main functions of “Aldi Bot” v1.0 are:

  • Possibility to carry out DDoS attacks
  • SOCKS; bot owner can use victim’s pc as proxy
  • Firefox password stealer; stealing passwords saved in Firefox database
  • Remote execution of any file

An update to v2.0 added the following functions to the ones already in use:

  • Pidgin password stealer; stealing passwords from the instant messenger Pidgin
  • jDownloader password stealer; stealing passwords from a downloader of one-click hoster


The author prides himself with a video, hosted on Youtube, which apparently shows an “Aldi Bot” DDoS attack against the website of the German Federal Police (www.bka.de).

Chat logs, posted by the malware author, reveal that he actually really provides personal assistance for the installation and implementation of the bots, even to malware rookies, so-called noobs, who do not have the slightest idea of how to work with the malicious tools! He even uses TeamViewer to make his customers happy and ready to attack.

And this is where we bring it to the core: Having malware on the market for such a low price, the “Aldi Bot” price has temporary gone down to €5, will draw virtually anybody to the dark side – either for fun or for profit. Script Kiddies can buy this bot with their pocket money, including all updates and support, as the author announces it! And even though the “Aldi Bot” is not for sale any more, we expect more malware like this to pop up and to supply the market.

One question remains
Why did the author name it “Aldi Bot”? As we can see the screenshot of the bot’s builder, he even uses the official Aldi Sued logo. Aldi advertises itself on its official homepage as “synonymous with high quality and exceptional value.” What we can say is that the “Aldi Bot” does not have an exceptional value (hence the bot’s price) and there are coding issues we identified which clearly contradict to ‘high quality’.

We contacted Aldi Sued and reported our findings.

 

-------

*** Explaining the offer:
Buying the products offered
Builder: tool to compose the bot out of code and individual settings
Stub: kind of a base code
Updates: self-explanatory
Installation assistance: help for installing the C&C control panel

Building the malware
Buying these “products” means that one can build its own personal bot malware. The author supplies the buyer with a kind of base code (we suspect that this is what he means with “stub”) and the builder. The buyer has to insert a lot of information into the builder, e.g. an address for the C&C server, a file name for the bot to be composed, etc.

Spreading the malware
This task is up to the buyer alone. The buyer has to spread the malware (= the bot built) and infect the victims’ PCs. Usual ways of infection: Integration of the bot into an exploit kit, sending emails with malicious attachments,

Command the malware

Using the offered C&C server panel, the bot herder can command the malware to steal passwords, run DDoS attacks, etc.