Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Tracking A Botnet Infection

July 10, 2013 - 2 min read

Recently we found several malicious executables with similar characteristics. These files were found on the following six domains:


  • janashfordplumbing.com
  • kalliskallis.com
  • lowes-pianos-and-organs.com
  • continental1.com
  • foreigntire.com
  • gjhimages.com

The URLs used, adhered to the following two formats:



  • http://www.[domain].com/awstats6_data/[a-f0-9]{10}/?f=sm_main.mp3&k=[0-9]{15}
  • http://www.[domain].com/images/[folder]/[folder]/[a-f0-9]{10}/?f=sm_main.mp3&k=[0-9]{15}

These six domains are otherwise legitimate sites that have been compromised and used to serve malicious content. While I didn't determine the vulnerability used to obtain  control of these websites, all of them were misconfigured, allowing directory listings (viewing all files available in folders) and/or having AWSTATS publicly available.

The malicious files kept changing, with different signatures. Their behavior, however, was always the same and was identified as a botnet. When executed, the botnet hides itself in the Recycle bin and infects other running processes. It connects to over 50 IP addresses over UDP/16471 and TCP/16471. These IPs keep changing with each file and each execution.

The botnet always connects to xlotxdxtorwfmvuzfuvtspel.com through HTTP, but the domain answers with an empty response. You'll notice that the malware uses HTTP/1.0 with a Host header (not RFC compliant), often a good sign of malicious HTTP activity.




HTTP request to C&C

We found the malicious samples through Behavior Analysis, then used our log correlation to find the source of the malicious executables.



Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.