2012-09-20 - Study

From Sakura to Reveton via Smoke Bot - Or a Botnet Distribution of Reveton


In my study of Reveton's distribution, I encountered only Blackholes and another not named exploit kit ( which is now only spreading Urausy ). FBI warned about Reveton being spread via Citadel.

In this illustration it's not Citadel,  it's a Smoke Bot which is pushing the Reveton. 

Not so far..cause we often see Citadel pushing Smoke Bot...so it's just a matter of order/preference of the Botnet operator
(note that the Smoke Bot we will study is pushing a LOT of stuff among which Andromeda, Citadel, and for Russia/Ukraine Carberp (sic) )

For those who do not want to waste 5 minutes looking at the Video :
Smoke Bot calling home
Smoke Bot downloading Reveton Dll

Reveton calling Home

You can download the Fiddler Session of the Sakura Exploitation via CVE-2012-4681  (or : http://goo.gl/5JEyo (Mega) )
This Reveton Sample Call to Home in ThreatExpert report

Full pcap of the session (that include what you saw and other stuff)

Some binaries inside the Pcap file