Today we are going to talk about a nasty worm called Palevo.
Palevo (also known as Rimecud, Butterfly bot or Pilleuz) made some big press in 2009 when Panda Security announced the coordinated takedown of a huge botnet that they called Mariposa.
Since then the threat lost its media attention, but what most people don’t known is: Palevo is still a big player in the global threat landscape. According to FireEye, in 2010 Palevo was the top malware (# of infections) in the world:
Palevo is a so called bot kit that is being sold in underground forums (like ZeuS) using the name BUtterFly BOT. Therefore there are dozens of different botnets out there run by different criminal groups.
A further problem is the way Palevo communicates with its Command&Control server (C&C): The worm uses UDP and encrypts the data sent to the C&C server on (in most cases) a high port (e.g. 7700 UDP). The reason why Palevo uses UDP is simple: There is a bunch of Firewalls/Appliances out there which are poorly configured and therefore:
- aren’t logging UDP packets in the Firewall log
- allow UDP traffic by default
To keep it simple I’ve created Palevo Tracker as sub-project on AMaDa. This means that the Palevo Tracker blocklist is included in the AMaDa C&C Blocklist.