Analyzing the pattern of the binary file installed by Zunker and comparing it with our samples, we have come across 32 similar files.


On the left, the graphical representation of the binary file belonging to the first Zunker we came across and on the right, the graphical representation of the new similar files we have found.


As you can notice, they are alike. If we compare these graphs with the ones belonging to other malware, such as Gaobot.AAF, we will see that they are very different from these ones.


Analyzing the similar files, we have come across 18 different servers where they were installed:

            – 6 of them are active at the present moment.

            – 4 of them contain files belonging to Zunker but they don’t seem to be working.

            – 8 of them are inactive.


Among the servers that are active, different versions of the bot can be found:

ZUnker 1.4.4-1b

ZUnker 1.4.4-1b-10003  

ZUnker 1.4.4b

ZUnker 1.4.5b