{
	"id": "bc7fb51b-37ff-4596-b20f-8dd87569ed57",
	"created_at": "2026-04-06T00:21:25.026671Z",
	"updated_at": "2026-04-10T03:21:36.558617Z",
	"deleted_at": null,
	"sha1_hash": "613abe762baf8717009181144c2e8c6bb19e79fe",
	"title": "Cycbot: Ready to Ride",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 336486,
	"plain_text": "Cycbot: Ready to Ride\r\nBy David Harley\r\nArchived: 2026-04-05 22:46:26 UTC\r\nAlthough the “Ready to Ride” group originated in Russia it distributes Win32/Cycbot outside the borders of the\r\nRussian Federation. Going by the prices per installation the primary target of the group is the US.\r\n14 Jul 2011  •  , 2 min. read\r\nMy Russian colleagues Aleksandr Matrosov and Eugene Rodionov report that recently a cybercrime group called\r\n“Ready to Ride” has attracted their attention, by distributing malware of the Win32/Cycbot family. This group\r\nstarted in the fall last year, judging from the domain name registration date – readytoride.su was registered on 8th\r\nSeptember 2010.\r\nIts primary activities were substitution (index hijacking) of search engine results (Google, Bing, Yahoo) and\r\nclickjacking (hijacking the user's mouse-clicks and routing them invisibly to another page).\r\n(We've written previously about Win32/Glupteba (https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs), which was another example of malware used to drive BlackHat SEO (Search Engine\r\nOptimization).)\r\nAlthough the “Ready to Ride” group originated in Russia it distributes Win32/Cycbot outside the borders of the\r\nRussian Federation. Going by the price per installation (see Figure 1) the primary target of the group is the US.\r\n \r\nFigure 1\r\nWin32/Cybot is distributed using a well-known PPI (Pay Per Install) scheme. To download the malicious\r\nexecutable each partner uses the URL it has paid for, which generally looks like this:\r\nhxxp://1231.readytoride.su/adv.php?login=[partner_name]\u0026key=[partner_key]\u0026subacc=[partner_id]\r\nhttps://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/\r\nPage 1 of 4\n\nAfter the bot has been successfully activated it submits its current status to the C\u0026C (Command and Control)\r\nserver from which it gets its instructions (SEND_INSTALL_REPORT_TM):\r\nid=[bot_id]\u0026hwid=[hardware_id]\u0026step=[status]\u0026wd=[win_ver]\u0026av=[av_name]\r\nWhile collecting information about the infected system it determines what antivirus software (if any) is being used\r\nby looking for a corresponding process name. Here is the list of AV software which is captured by the malware:\r\nFigure 2\r\nThe C\u0026C URLs are hardcoded into the Win32/Cycbot executable and are updated when a new version of\r\nWin32/Cycbot is downloaded:\r\nFigure 3 \r\nThe bot is able to:\r\ndownload executables\r\ncreate new processes or new threads in an existing process\r\nterminate processes and threads\r\ncheck bot status in case one of the components was shut down\r\nclick on the references on a web page\r\ninject JavaScript into web pages, substituting references and modify html\r\ndelete executables and downloaded files when instructed by the C\u0026C server.\r\nhttps://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/\r\nPage 2 of 4\n\nBy means of injecting java script, diverting web searches, and modifying HTML code it is able to pass itself off as\r\na user surfing web pages, so as to counteract systems intended to block clickjacking.\r\nIt is worth mentioning that the bot modifies the settings of the most popular browsers (Internet Explorer, Opera,\r\nFirefox). For instance, it modifies the file prefs.js used by the Firefox web browser to contain browser settings and\r\npreferences. It adds information about which proxy server to use. Similarly, it sets up a proxy using the HTTP\r\nprotocol (127.0.0.1:[port_number]) for other browsers. \r\nFigure 4\r\nThe bot’s central component dispatches tasks received from the C\u0026C server to other components:\r\nFigure 5\r\nWin32/Cycbot is a multithreaded application and just a single instance of the bot can handle dozens of tasks,\r\nclicking advertisements or poisoning web searches. Here is an example of the bot’s network activity, captured over\r\nseveral minutes.\r\nFigure 6\r\nDavid Harley, Senior Research Fellow\r\nAleksandr Matrosov, Senior Malware Researcher\r\nEugene Rodionov, Malware Researcher\r\n \r\nhttps://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/\r\nPage 3 of 4\n\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/\r\nhttps://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/"
	],
	"report_names": [
		"cycbot-ready-to-ride"
	],
	"threat_actors": [],
	"ts_created_at": 1775434885,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/613abe762baf8717009181144c2e8c6bb19e79fe.pdf",
		"text": "https://archive.orkl.eu/613abe762baf8717009181144c2e8c6bb19e79fe.txt",
		"img": "https://archive.orkl.eu/613abe762baf8717009181144c2e8c6bb19e79fe.jpg"
	}
}