Research by: Alexey Bukhteyev
Introduction
We recently wrote about the massive “sextortion” spam campaign carried out by the Phorpiex botnet. However, this is only a small part of this botnet’s malicious activity. Capable of acting like both a computer worm and a file virus, Phorpiex is spread through exploit kits and with the help of other malware and has infected more than 1,000,000 Windows computers to date. By our assessment, the annual criminal revenue generated by Phorpiex botnet is approximately half a million US dollars.Of course, to maintain such a large botnet, a reliable command and control (C&C) infrastructure is required. For malware with a small outreach, or if infected computers are not part of a single botnet, virtual private servers (VPS) are most often used. VPS hosting services can be purchased from legitimate companies. Many VPS hosting providers don’t require identity verification, and the services can be paid for anonymously.However, in the case of the Phorpiex botnet, a public VPS is not suitable. First of all, the C&C server for such a botnet would immediately attract attention with a large amount of malicious traffic: several million requests per day from more than 100,000 unique IP addresses are sent to the Phorpiex C&C servers. By our assessment, the monthly volume of the botnet’s C&C traffic may exceed 70 TB. Therefore, Phorpiex doesn’t use public VPS hosting services. Instead, it uses dedicated IP subnets registered to figureheads.
Botnet Architecture
Initially, the Phorpiex has been known as a botnet operated using IRC protocol (also known as Trik). However, recent Phorpiex campaigns have switched to modular architecture and got rid of IRC communication. We barely saw any of its IRC C&C ..
Support the originator by clicking the read the rest link below.
