When classifying observations as Botnet Infection events, we use criteria similar to antivirus vendors to differentiate malware from potentially exploited systems. The criteria includes the capability and intent to install additional programs on the system without user consent.
Depending on the number of affected companies, we may:
- Perform an in-depth study.
- Document the malware family in an internal document or in our blog. This may include a short description of the malware and its capabilities.
- Use a list of samples and sandbox execution IOCs as evidence of maliciousness. These can be independently validated by any interested party.
- Kelihos: Used for Bitcoin theft and to send spam.
- Torpig: Designed to steal sensitive user data, such as usernames, passwords, login locations, and personal and corporate credit card information. It is typically spread by the Mebroot rootkit.
- Zeus: Steals specific types of data, such as banking information and other login credentials. It can also be used to install other malware, such as CryptoLocker ransomware.