The recently observed Trojan, Sathurbot, offers a fascinating insight into the various parts of the malware spreading ecosystem. The bot compromises websites – primarily those running WordPress – and uses this to spread malware to end-users. Once it infects the end-users, it then uses them to hack more websites, and then uses the newly compromised sites to spread more malware, use for attacks, as malware C&C servers or SEO spam.
The entire process starts by compromising a site. Once this site is compromised, it serves torrent files, masquerading as legitimate torrents. These torrents appear well seeded and show up on Bing or Google searches. Users trust these torrents and use them to download the movies or software that the torrents seem to offer. The downloaded files convince the user into running them by masquerading as legitimate software and infect the user’s computer. Once the malware has launched, the bot then connects to its C&C servers and uses this to update itself. The C&C server can also push other malware executables to the infected system to perform further tasks.