At cybercrime scene there is a new class of botnets networks origin from China. This zombies networks is quite advanced and are spreading silently infecting thousands of computers, mainly from Asian users, collecting information from the infected users for long time until they are disabled.
The first of these botnets that was detected is known as JACK LOADER . Is called of this way because appears with this name at the login screen on the control panel. Malicious botnet infrastructure were hosted on the domain justnewleft.ru
The first signs of this botnet is back near the end of 2010.
About this time already had news of this threat in the security Web portal Threat Experts:
you can see the connection string of the Trojan with its control panel:
At that time the domain were located at IP 188.8.131.52. IP belonging to the ISP Ninbo-LANZHONG-LTD of China
Once accessed at control panel that commands full botnet network most of zombie machines could be seen that the infected users were from Asian countries mostly.
Malware propagation started by visiting the infection vector :
hxxp :/ / justnewleft.ru: 888/build.sub.php ---->
That redirected user navigation to the malicious Iframe:
iframe src = "hxxp :/ / build.j-loader.com: 88 /" frameborder = "0" height = "600" width = "100%" scrolling = "auto"
From this Panel criminals could configure a battery of downloading malware on the infected machine according to the desired parameters:
Control Panel has other features of command & control over the victim's machine, such as capturing user's confidential data by using a control keylooger and Logs section (LOG VIEWER). It can also control and modify the DNS records on the infected computer to perform pharming attacks (DNS HIJACK)
Below is showed files structure of the Kit of the Control Panel of this Botnet JACK LOADER:
Subsequently, the botnet has been migrated to other sites hosted in China but keeping all the same structure of control and Infection:
Other address where it was hosted and actually inactive was:
The domain nucleardiscover.com were hosted as IP 184.108.40.206 belongs to same provider LANZHONG Ninbo-LTD of China
At present this threat is active again, appearing with a new name called SUPER LOADER as observed in the control panel access screen:
This new version is located in the domain zhongmail.com hosted at IP 220.127.116.11 belonging Xiangrong-Technological provider in China.
Trojan connection vector that communicates with botnet main server and receives orders is
Malicious Control Panel is reachable also at URL:
hXXp :/ / 18.104.22.168:888 /
This new fraudulent server has control of all IP addresses that visits the Panel, blocking them if is detected anomalous activity.
You can get more information from the threat of page Threat experts:
still is possible to download the binaries that initiate infection from the actives address:
This all .Txt files are in reality malicious binaries that infect user's computer