From Sakura to Reveton via Smoke Bot - Or a Botnet Distribution of Reveton

   

In my study of Reveton's distribution, I encountered only Blackholes and another not named exploit kit ( which is now only spreading Urausy ). FBI warned about Reveton being spread via Citadel.

In this illustration it's not Citadel,  it's a Smoke Bot which is pushing the Reveton. 

Not so far..cause we often see Citadel pushing Smoke Bot...so it's just a matter of order/preference of the Botnet operator

(note that the Smoke Bot we will study is pushing a LOT of stuff among which Andromeda, Citadel, and for Russia/Ukraine Carberp (sic) )

For those who do not want to waste 5 minutes looking at the Video :

You can download the Fiddler Session of the Sakura Exploitation via CVE-2012-4681  (or : http://goo.gl/5JEyo (Mega) )

The Smoke bot is : 49d2c90d7c1f2477f3fb3bd19b156047

The Reveton : 603c3b3ea9f14599e34802ebff2ca736

Full pcap of the session (that include what you saw and other stuff)

See: