Researchers Deconstruct Pobelka Botnet

How many inconspicuous botnets are alive and siphoning banking credentials and real money from online accounts that get little to no attention? They feast on unwitting consumers using an array of available banking Trojans to steal legitimate log-in information and sell it to the highest bidder, often with great success because they got lost in the sea of similar campaigns. Researchers at Dutch security company Fox-IT recently took apart an average botnet running amok in the Netherlands called Pobelka, a Russian word that means whitewash (perhaps a euphemism for money laundering). The analysis paints a picture of the simplicity with which even a small criminal organization can spread malware for profit, virtually unscathed.

BotnetHow many inconspicuous botnets are alive and siphoning banking credentials and real money from online accounts that get little to no attention? They feast on unwitting consumers using an array of available banking Trojans to steal legitimate log-in information and sell it to the highest bidder, often with great success because they got lost in the sea of similar campaigns. Researchers at Dutch security company Fox-IT recently took apart an average botnet running amok in the Netherlands called Pobelka, a Russian word that means whitewash (perhaps a euphemism for money laundering). The analysis paints a picture of the simplicity with which even a small criminal organization can spread malware for profit, virtually unscathed.

“The Pobelka botnet is just one of the many examples of how a single individual was able to attack Internet users for over a year without much resistance. This is a global issue,” wrote Michael Sandee, principal security analyst at Fox-IT.

Pobelka was outed in late December and discovered to be spreading the Citadel Trojan to harvest credentials, largely from online banking customers in Germany and Holland. While stolen credentials are gaining considerable value for attackers, particularly those involved in APT-style, state-sponsored attacks, Pobelka was exclusively a financial botnet, raiding online bank accounts and stealing credit card information.

The attackers also used some of the stolen credentials to hijack websites to host either exploit kits or phishing sites. Pobelka, it should be noted, was not always a Citadel carrier. For a time it spread SpyEye, another nasty financial Trojan.

Also unique about Pobelka and Fox-IT’s investigation is that it was able to identify the attacker, who left a contact email address in the botnet’s command and control server. Known as Finist, the attacker was receiving notifications of stolen credentials from the botnet’s administration interface called Bentpanel at a Jabber email address.

The Bentpanel infrastructure had been seen before in other attacks against banks in the U.S. and Europe in 2011.

“The actual Bentpanel attack was offered both as a service on a hosted infrastructure, but also was separately sold as a kit which an attacker could install on his own server,” the Fox-IT botnet report said. “The purpose of the attack is to allow account hijacking, a technique which is far from new and was used to attack banks using two factor transaction signing as far back as 2007.”

Bentpanel was primarily used by Finist as a manual attack tool, but had some automated transfer system (ATS) attack capabilities. ATS are modules embedded into financial malware such as Zeus and SpyEye, that automatically moves funds to a mule’s account and can bypass strong authentication checks.

Finist spent some of his profit buying traffic from Iframeshop, a traffic exchange platform, that would direct traffic toward sites hosting exploit kits; Finist paid between $8 and $18 for every 1,000 visitors.

“This traffic was generated by placing a specifically crafted script which pointed to the Iframeshop traffic distribution system on a website,” the report said. “This could be a compromised site, but also a site setup with malicious intent and pushed into high search engine ranking by the use of black SEO tricks.”

It appears Finist switched over to Citadel in October 2011 and by the spring of 2012 it was fully operational. Several pieces of banking malware and exploit kits were used throughout 2012 to great success, the point where Finist was on different occasions publicly recruiting money mules in online forums.

Since the end of 2012, Fox-IT said it has not observed activity attributed to Finist despite some chatter on Jabber. Fox-IT speculates Finist could have moved on to different types of attacks outside the Netherlands.

“The ease at which cybercrime services are available to criminals, makes it trivial for anyone to start in this business, and the potential gains for the criminals are large, with little to no chance of successful prosecution,” the report said.

Suggested articles