Trojan Horse Builds Peer-to-Peer Botnets

The Trojan.Peacomm (Trojan.Packed.8) is building a Peer-to-Peer botnet out of compromised machines. Security company Symantec has issued a public warning advising of the spamming of the Trojan.Peacomm Trojan horse that is being spread via emails with the following subjects: "A killer at 11, he's free at 21 and kill again!," "U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel," "British Muslims Genocide," "Naked teens attack home director," "230 dead as storm batters Europe" and "Re: Your text."

The email additionally contains an attachment that is designed to appear as a video clip. "The executable drops a system driver (wincom32.sys, also detected as Trojan.Peacomm), which injects some payload and hidden threads directly into the services.exe process, using a sophisticated technique similar to Rustock (see Mimi Hoang's blog and Elia Florio's blog). However, in spite of its name, wincom32.sys driver is not a "real" rootkit as it does not hide its presence or its registry keys in the system," explained Amado Hidalgo, Sr. Security Response Manager Symantec.

Hidalgo explained that Trojan.Peacomm, once on a compromised system, debuts Peer-to-Peer communications on UDP port 4,000. Once the connection is established, the Trojan horse will download and execute additional malware.

"When it manages to connect to any of these initial IP addresses, it receives a list of additional IP addresses of infected machines and adds them to its list of available peers, building up a distributed network to aid in the download of more malware. The Trojan also keeps a "blacklist" of unsuitable peers. Part of this encrypted P2P configuration is stored in a file peers.ini stored in the %System% folder," added Hidalgo.