# Collecting Malicious Particles from Neutrino Botnets **journal.cecyf.fr/ojs/index.php/cybin/article/view/22** Jakub Souček ESET Jakub Tomanek ESET Peter Kálnai ESET DOI: [https://doi.org/10.18464/cybin.v4i1.22](https://doi.org/10.18464/cybin.v4i1.22) Keywords: Neutrino Bot, Kasidet, bot, botnet, reverse engineering ## Abstract Neutrino Bot (also known and detected as Win/Kasidet) is a rapidly changing threat. It first became known around December 2013. It has been actively developed ever since resulting in version 5.4 at the very beginning of 2018. It is being sold for an attractive price to a large variety of cybercriminals. This paper shows an extensive summary of the history of the bot while focusing on the most recent versions. It presents methods how to analyse Neutrino botnets and provides key findings that have been discovered during the year 2018. ## References Malware don’t need coffee, “Neutrino Bot (aka MS:Win32/Kasidet),” June 2014. [https://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html.](https://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html) “ESET GitHub, SHA-256 hashes of Neutrino Bot files.” [https://github.com/eset/malwareioc/tree/master/kasidet.](https://github.com/eset/malwareioc/tree/master/kasidet) S. Yunakovsky, “Jimmy Nukebot: from Neutrino with love,” tech. rep., Kaspersky lab, August [2017. https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/.](https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/) V. Tom, “Kasidet POS malware spread through fake security update,” tech. rep., ThreatSTOP, June 2017. https://blog.threatstop.com/kasidet-pos-malware-spread-throughfake-security-update. S. Yunakovsky, “Neutrino modification for POS-terminals,” tech. rep., Kaspersky lab, June [2017. https://securelist.com/neutrino-modification-for-pos-terminals/78839/.](https://securelist.com/neutrino-modification-for-pos-terminals/78839/) [Wikipedia. https://en.wikipedia.org/wiki/Luhn_algorithm.](https://en.wikipedia.org/wiki/Luhn_algorithm) Y. Oyama, “Investigation of the Diverse Sleep Behavior of Malware,” Journal of Information Processing, vol. 26, pp. 461–476, June 2018. [https://www.jstage.jst.go.jp/article/ipsjjip/26/0/26_461/_pdf/char/en.](https://www.jstage.jst.go.jp/article/ipsjjip/26/0/26_461/_pdf/char/en) ----- P. Kálnai and M. Poslušný, Browser Attack Points Still Abused by Banking Trojans, tech. rep., Virus Bulletin, 2017. https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2017Kalnai-Poslusny.pdf. P. Kálnai and M. Poslušný, “Browser Attack Points Still Abused by Banking Trojans - 2018 update,” tech. rep., Virus Bulletin, 2018. https://www.virusbulletin.com/blog/2018/07/vb2017paper-and-update-browserattack-points-still-abused-banking-trojans/. O. Kubovic, “Ammyy Admin compromised with malware again; World Cup used as cover,” tech. rep., ESET, July 2018. https://www.welivesecurity.com/2018/07/11/ammyy-admincompromised-malware-world-cupcover/. [“TinyNuke.” https://github.com/rossja/TinyNuke/blob/master/Bot/WebInjects.cpp.](https://github.com/rossja/TinyNuke/blob/master/Bot/WebInjects.cpp) ----- [PDF](https://journal.cecyf.fr/ojs/index.php/cybin/article/view/22/24) ----- Published 2018-12-10 Issue [Vol 4 No 1 (2018): Botconf 2018](https://journal.cecyf.fr/ojs/index.php/cybin/issue/view/5) Section Conference proceedings Copyright (c) 2018 Jakub Souček, Jakub Tomanek and Peter Kálnai [Creative Commons License](http://creativecommons.org/licenses/by/4.0/) [This work is licensed under a Creative Commons Attribution 4.0 International License.](http://creativecommons.org/licenses/by/4.0/) Authors who publish with this journal agree to the following terms: Authors retain copyright and grant the journal right of first publication with the work [simultaneously licensed under a Creative Commons Attribution License that allows](http://creativecommons.org/licenses/by/4.0/) others to share the work with an acknowledgement of the work's authorship and initial publication in this journal. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal. -----