Inside the Elite Control Botnet

By Matthew Hines  |  Posted 2009-11-03 Print this article Print

Researchers with Trend Micro's TrendLabs group have gotten their hands on the code behind the dangerous "Elite Control" botnet, allowing for a closer look at the attack's underpinnings and capabilities.

TrendLabs Advanced Threats Researcher Maxim Goncharov detailed his findings in a recent blog post after coming across a free copy of the botnet's source code on a Russian malware forum, and he contends that the threat is a pretty tough customer all around.

Luckily for us, the researcher's ability to gain access to the code gave him all the important details needed to understand its make-up, including instructions from the botnet's designer on how to utilize Elite Control command and control servers.

In addition to dropping malicious files onto affected devices, Goncharov noted that the botnet program also allows those people controlling the threat to channel secondary programs to the devices to steal passwords, turn the machines into spambots or even use them in DDoS campaigns.

In another nod to its sophistication, the expert said that the attack offers its users an impressive array of reporting capabilities, including stats and advanced log filtering to help botnet controllers manage downloads closely, on a regional basis, for instance.

And impressively, even with all that potential, the botnet program weighs in at a small 8kb, making it even harder for security programs to detect, he said. According to Goncharov, in fact, the threat still effectively evades Microsoft XP Service Packs 1-3 along with Microsoft's Vista OS.

Based on his ability to unearth Elite Control so completely, and that it was relatively easy to find in the underground, the researcher also submits that the malware community is becoming increasingly brazen and public in its overall nature.

With no ability for law enforcers to actively pursue of prosecute them, malware authors and distributors aren't seemingly trying as hard to cover their tracks these days, he said.

As a result, even advanced threats such as the Elite Loader botnet will find their way into larger numbers of less sophisticated attackers' hands, and faster, the TrendLabs researcher contends.

"Elite Loader, for instance, was published by well-known Lonely Wolf, one of the moderators of the underground forum, DaMaGeLaB, with detailed instructions in the archive and even dedicated thread posts," writes the expert. "This will make it easy even for script kiddies to create their own malicious code."


Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel