Bot masters are now watching their prey more intently.
While malicious programs typically monitor what the victims does on their computer, a bot program, known as Ozdok, snaps screenshots of what's on its host's screen and sends it back to a server on the Internet, security firm SecureWorks stated in a research note last week.
SecureWorks' researchers gained access to a command-and-control server for Ozdok, also known as Mega-D, and culled between 1,000 and 2,000 screenshots from the machine. The images showed users doing typical tasks on their systems, but the company easily picked out four screenshots that showed malware analysts running advanced tools to reverse engineer the program.
While Trojan horse programs have frequently taken snapshots of a victim's screen, this is the first time that a bot program focused on spamming has done the same thing, said Joe Stewart, director of malware research for the company.
"It was obvious that someone was manually processing these," Stewart said. "You can learn a lot about who you infected this way, in a way that you could not, just knowing their IP address or their login name. It gives them a lot of insight, but it may not be scalable."
Ozdok has become the largest spambot, according to data recently released by MessageLabs. Spam has again risen to levels not seen since the takedown of Internet hosting provider McColo, which resulted in a massive drop in junk e-mail. The largest botnet, however, is likely the one created by the Downadup worm, which has infected 10 million computers, by some estimates. The United States and China lead the world in computers compromised by botnets, according to data previously released by SecureWorks.
Among the images viewed by SecureWorks were screenshots that showed a user searching for pornography of underaged girls, Stewart said. The company referred the case to the FBI.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos