Dutch security researchers dissect the Pobelka botnet

Dutch security researchers from Fox-IT have released a paper detailing the inner workings of the Pobelka botnet, including details on its botnet master.
Written by Dancho Danchev, Contributor

Security researchers from the Dutch company Fox-IT, have recently released a detailed report discussing the innner workings of the Pobelka botnet, including details on its botnet master, and the campaigns he's been running since the initial discovery of the botnet.

The campaigns are known to have targeted primarily Dutch and German users, indicating that the botnet master was segmenting the prospective "attack population", relying on nothing else but good old fashioned underground traffic exchange networks, who supplied him with Dutch and German visitors, to be later on converted into Citadel/SpyEye crimeware victims.

The attacker using the handle "Finist", originally started the campaigns relying on a server-based attack kit known as the "Bentpanel", where he even left his email address within the command and control interface in order to receive notifications for the successfully stolen account/bank credentials. He then started using the Black Hole Exploit Kit in an attempt to convert all the Dutch and German traffic he was buying, into crimeware-infected hosts, by dropping SpyEye and Citadel variants on the affected hosts.

The security researchers also connected the Pobelka botnet with several compromised high-trafficked Dutch web sites, and that its botnet master, "Finist" was also seeking money mule recruitment help for Dutch and German bank accounts.

Why is this botnet so special? Because it puts the spotlight on the fact that it's one of those "botnets that never make the news". Until now.

What's also important to highlight about this particular botnet is the fact that, it's a great example of the dynamics behind the cybercrime ecosystem, in particular how easy is it to commit financial fraud with little or no fear of prosecution. It's the very combination of millions of users with outdated third-party applications and browser plugins who update their latest version of Java to find themselves exploited through an old flaw in Adobe's Flash Player, the underground traffic exchanges driven by black hat SEO and malvertising, the easy to purchase state of the art crimeware platforms, and the tens of thousands of gullible prospective money mules thinking they've found their dream employer.

With the Pobelka botnet only the tip of the iceberg when it comes to segmented crimeware campaigns, cybercriminals will continue relying on various "beneath the radar" tactics throughout 2013, in an attempt to extend the life cycle of their campaigns, and increase their revenues.

Find out more about Dancho Danchev at his LinkedIn profile.

Editorial standards