Exploring a Java Bot: Part 4

Before we begin this final installment, let’s review what we covered in the previous posts. In part 1 we learned how this bot was discovered and some basics about botnets. In part 2 we covered botnet fundamentals, like command and control (C&C) and various other capabilities. In part 3 we examined some of the features incorporated into a botnet designed to launch attacks and maintain control of hosts.
In this last part of the series we’re going to look at two features that were considered new and innovative this time last year. Normally, when we come across botnet source code it is fairly feature-slim and usually just made to be sold on various forums; occasionally you do find one or two that go the extra mile. What makes this bot cool?  Well in short it watches us and what processes (programs) we are running. We have seen this trend in lots of what I would consider “professional” quality malware. I’ve never seen it in anything designed to be used by script kiddies.
The first feature I want to talk about is something we started to notice in larger bots a little over a year ago. We began to notice that bots would actively scan running processes that may interfere with the malware. This alone is not unique. In fact, (continue reading...)