Everyday we see different things that the miscreants develop to make their job easier. Today I was checking the 288th variant of Opanki. The really interesting thing about this one is that the botnet owner seems concerned over not having an organized way to check the bots, like geographic distribution, for example. But how can he or she accomplish this in an easy way? Yes, Google Analytics! As many of you know, Google offers Google Analytics (www.google.com/analytics) as a free service that allows anyone to keep collect and view tracking information about website visitors, like Unique Visitor Tracking, Daily Visitor, Geo Location…
The following code was found on this bot variant. This is typical code that one would usually add in to a webpage to make Google Analytics work:
_uacct = "UA-XXXXXX-X";
_udn="xxxxxx.com";
urchinTracker();
The _uacct and _udn are parameters that identify the site owner for later statistics.
Yet another example of how the miscreants are organizing themselves…
November 13th, 2006 at 2:10 am
[…] De 288ste variant van de worm Opanki helpt zijn maker aan statistieken over zijn besmette computers. Zonder blikken of blozen gebruikt deze worm Google Analytics, een gratis dienst voor het bedrijfsleven. Google Analytics vertelt bedrijven waar hun klanten zitten, wat ze doen op de website van het bedrijf, hoeveel ze besteden en dergelijke. Niet al deze informatie is van toepassing op besmette pc’s maar wel bijvoorbeeld waar ze zijn gelokaliseerd. Er zijn meer manieren om dit te achterhalen (het ip-nummer bijvoorbeeld) maar Google levert de virusmaker kant-en-klare informatie verpakt in keurige grafieken en kaarten. […]
November 17th, 2006 at 1:31 pm
[…] For instance, it seems the miscreants are getting into the world of data mining. There’ve been a couple examples recently of ways they’ve used different techniques for keeping track of how their botnets are doing. Keep your bots in handy groups for different purposes, and then track them with a nice graphical interface! […]
April 25th, 2008 at 8:15 am
[…] have seen this before…but something wasn’t quite clear… it seemed that this was all that the malware […]