Botnet Trend Report 2019-10

Botnet Trend Report 2019-10

September 14, 2020 | Adeline Zhang


For many years, large grey software supply chains on the Internet have been showing their own prowess for self-promotion. A specific piece of software is often bundled with unnecessary software, even malware, during the download and installation.

Families of Promotion Channels and Their Profit-Making Ways

To pursuit profits, promotion channels begin to customize their own promotion downloader templates. Like trojan downloaders, such custom downloaders have the same traffic and behavior characteristics, forming a “promotion family”.

When a user runs the downloader, the downloader will download a large number of installation packages.

Unlike normal installation packages, the names of these installation package files contain channel promotion information. After the software is installed and can reside in systems, it will send promotion information contained in the file name to related servers. This is counted as the workload of the promotion channel and its profits is calculated based on the workload. Figure 2-16 shows promotion information contained in an installation package name.

Types of Adware and Their Profit-Making Ways

Among promotion software, the so-called “must-have” applications (input tools, compressors, and so on) took the predominant place, and online game platforms, browsers, and video/live streaming applications took the remaining share.

Pop-ups are one of important channels for the preceding promotion software to make profits. Figure 2-17 shows the distribution of pop-ups by type.

On average, for one of three pieces of video/live streaming client software, the dropped executable contains pop-up functions. The ratio is 0.3. For the so-called “must-have” installation software, this ratio is as high as 1.6. (Specifically, 64% installation software produces 81% pop-up advertisement.) This indicates that pop-up advertisement is the main source of income of installation software.

These pop-ups are castrated browsers in nature. After multiple installation packages are installed, they produce pop-ups at the same time, consuming system resources and leading to no response from user system.

Black in White: Promotion Software Becoming a Channel for Spreading Malware

Shellcode for bypassing detection is discovered in the promotion downloader and autostart services indicates that the clear boundary between promoted software and malware begins to blur.

Worse still, promotion directly becomes a new way for spreading malware. In 2019 Q3, during the analysis of SoftCNApp, NSFOCUS Security Labs found that it had begun to spread Mint, an advertisement trojan. Mint can receive C&C commands, hijack browser homepages, display pop-ups, and download other promotion software. In addition, it can use various persistent residing means such automatic startup, forming a botnet bundled with advertisements.


Malware, such as DDoS, cyptojacking, ransomware, banking Trojans, and adware, plays different roles in compromising systems, which reflects different motivations of cybercriminals. Generally, malware families compete with each other for resources or interest. However, with the industrialization of cybercrimes, malware families with the same or different interest can also unite with each other for the sake of common interest. In this context, an infected device is often involved in multiple botnets and manipulated by different cybercriminal groups, thus, being exposed to more than one type of threat.

To be continued.