ButterflyBot.A is a bot worm whose purpose is to make the affected computer become a zombie, so that it can be remotely controlled and receive instructions from its creator without either the knowledge or consent of the user.
Once installed, it injects itself into the EXPLORER.EXE process, so that it is not executed as a suspicious process and can go unnoticed. Additionally, as the EXPLORER.EXE process has usually the Internet connection enabled, the bot can receive the instructions sent by its creador and bypass the firewall, if any were installed.
It can receive several instructions, like the following:
- Download and run files, which woud allow it to install any type of malware in the computer. For example, it could install a Trojan designed to steal all type of passwords, implying a risk for the user’s confidential data.
- Download updates of itself. This way, it could add new functionalities and change its behavior, making its detection more difficult.
- Enable/disable the propagation through removable drives, instant messaging programs and P2P programs.
The following table represents the main commands received by the bot with an explanation:
It is worth mentioning that the creator of the bot uses a particular Spanish language to name some of these commmands, like "alinfiernoya" ("to hell now") to delete the bot, "trinka (url)" "get (url)" to download a file from a certain URL, or "get this new one now (url)" to update the bot.
Additionally, it establishes connections with the following addresses from which it controls the type of command to be sent and the files to be downloaded to the affected computer:
These addresses use dynamic DNS servers, in order to modify at any moment the instructions sent by the bot creator and the files to be downloaded.
On the other hand, the program to create customized samples of this bot, which allow users to desing their own botnet, can be bought in the Internet. The following image belongs to the website where it is on sale:
The following image belongs to the configuration interface of the bot, which allows users who buy thos program to configure it as they want:
The configuration options are the following:
- Choose whether the copies of itself are polymorphic or not.
- Connection ports to the server.
- Delay until it is injected into the EXPLORER.EXE process to make its analysis more difficult.
- Number of sendings via MSN Messenger.
- Name of the file with which it is copied in the removable drives.
- Autostart configuration of these removable drives.
The image below belongs to the server that controls the infected computers and that allows commands to be sent and the botnet to be configured:
ButterflyBot.A creates a copy of itself with the name SYSDATE.EXE, in the path C:\RECYCLER\%random value%. This file is a copy of the worm.
ButterflyBot.A creates the following entry in the Windows Registry in order to be run whenever Windows is started:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Taskman = C:\RECYCLER\%random value%\sysdate.exe
Means of transmission
ButterflyBot.A uses several means to spread itself in order to infect as many computers as possible. Addtionally, the different means of propagation it uses to spread can be abled/disabled through certain specific instructions it can receive from the "Command and control center" of the botnet.
ButterflyBot.A spreads through removable drives, instant messaging programs like MSN Messenger and P2P programs.
1.- Removable drives
In order to do so, it makes copies of itself in the removable drives of the system, affecting the removable devices that are connected to the computer, like the USB keys.
Additionally, it creates an AUTORUN.INF file in these drives, so that the worm can be automatically run whenever the device is connected to a computer.
2.- MSN Messenger
It sends instant messages which contain a link from which a copy of the worm is downloaded to all the contacts of the affected user.
If the user runs the downloaded file, the computer will be infected by the worm.
3.- P2P programs
The worm created copies of itself in the shared folders belonging to several P2P programs using names of legitimate programs so that other users that are looking for this type of programs download and run them thinking it is a legal application.
ButterflyBot.A is 134,656 bytes in size.