Concerned about VPN vulnerabilities? Learn how you can benefit from our VPN migration offer including 60 days free service.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Another Trojan Bamital Pattern

May 06, 2011 - 4 min read

The other day I detected a handful of Bamital infected clients beaconing out with a different pattern than that listed in EmergingThreats, and thought I'd post something for the masses to consume and be on the lookout for in their networks. Microsoft's Malware Protection Center, lists a first iteration of the Trojan back in 2009 to do pop-up/injected advertising on behalf of the attacker ... but since then the malware family has grown in variations and scope of capability - for example, search result manipulation and malware dropping. There are now 29 variants listed in the MS encyclopedia, including those published in mid/late April 2011. For example,

The pattern in EmergingThreats was created from this February 2011 ThreatExpert report:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32 Bamital or Backdoor.Win32.Shiz CnC Communication"; flow:established,to_server; content:"/favicon.ico?0="; http_uri; content:"&1="; http_uri; content:"&2="; http_uri; content:"&3="; http_uri; content:"&4="; http_uri; content:"&5="; http_uri; content:"&6="; http_uri; content:"&7="; http_uri; classtype:trojan-activity; reference:url,; sid:2012299; rev:2;)
The different HTTP URI pattern that I'm seeing for the Bamital C&C communication is:
And the C&Cs that I have observed have typically been utilizing free domain services like "" and "" ... this type of abuse is nothing new for these "TLDs."


Here is a snippet of domains and servers used for this C&C infrastructure:
The above C&C domains resolve only to a handful of IPs: (KR) (KR) (KR) (KR) (US)
Open-source info on these IPs confirms their badness as C&Cs as well as hosting malicious fake videos/plugins (for example,,, CleanMX).
There have also been some other open-source reports that include some .info domains with the same hash-like domain format used to host the Bamital C&C infrastructure that uses the same beaconing pattern I identified above, e.g.,


With this type of bulk registration of new domains to keep the C&C infrastructure alive, you really need to have a set of signatures in addition to domain/IP filtering. Keep an eye out for this other Bamital pattern in your networks:


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Zscaler TROJAN W32 Bamital or Backdoor.Win32.Shiz CnC Communication"; flow:established,to_server; content:"/message.php?subid="; http_uri; content:"&br="; http_uri; content:"&os="; http_uri; content:"&flg="; http_uri; content:"&id="; http_uri; content:"&ad="; http_uri; content:"&ver="; http_uri; classtype:trojan-activity; reference:url,;)
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.