Microsoft Digital Crimes Unit disrupts Jenxcus and Bladabindi malware families


​Today, following an investigation to which the Microsoft Malware Protection Center (MMPC) contributed, the Microsoft Digital Crimes Unit initiated a disruption of the Jenxcus and Bladabindi malware families. These families are believed to have been created by individuals Naser Al Mutairi, aka njQ8, and Mohamed Benabdellah, aka Houdini. These actions are the first steps to stop the people that created, distributed, and assisted the propagation of these malware families.

There are more details about the takedown itself in the latest blog from the Microsoft Digital Crimes Unit.

At the MMPC we have been monitoring both malware families for some time. We have observed the Bladabindi family since at least July 2012. Jenxcus came onto the scene as early as December 2012. During the past year, Microsoft detected more than 7,486,833 instances of computers operating Microsoft Windows with some version of Bladabindi or Jenxcus.

Malware heat map

Figure 1: Heat map showing the global impact of Bladabindi and Jenxcus during the past year

Jenxcus machine count

Figure 2: Machine encounters per month for Jenxcus

Bladabindi machine count

Figure 3: Machine encounters per month for Bladabindi

These families can install backdoor trojans on your computer, which allow criminals to steal your information, such as your passwords, and use your computer to collect other sensitive information. For example, Bladabindi can take snapshots and record videos without your permission. It can also control your system remotely.

These backdoor trojans can also upload new components or malware to your computer to add more malicious functionality. They often communicate with hosts that are typically a Dynamic DNS service such as NO-IP because this makes them more difficult to trace.

Control dashboard

Figure 4: An example dashboard showing how an attacker controls infected machines

 

Malware commands  

Figure 5: The possible commands available to the malware writer

These malware families spread primarily through social engineering techniques that try to trick unsuspecting victims into carrying out some action which results in their computer getting infected. For example, Bladabindi can be installed when you:

  • Visit a hacked website.
  • Click on a malicious link in a social media message.
  • Receive and open an email “sent” by friends and family who have been infected with the malware.

Bladabindi also plants files with enticing names and icons on removable media and linked drives to lure new victims. There are more example of these techniques in our blog MSRT January 2014 – Bladabindi.

Most Jenxcus infections occur through torrents and websites when the malware is bundled with other programs or videos. Jenxcus also tries to trick you into installing it by pretending to be a Flash update that you need to install before watching a video. After infecting a computer, Jenxcus leaves enticing shortcut files on removable media that look like songs or other personal files. When opened these files run a copy of the malware.

Through our research we have observed that there is information available in public online forums and group discussions, including tutorials, which allow anyone to download a package and create their own versions of the malware. This makes Bladabindi and Jenxcus a bit different from the previous botnets we have seen. A traditional botnet usually has one command-and-control (CNC) server to control all infected machines. In the case of Bladabinda and Jenxcus there can be a syndicate of botnets and thousands of botnet herders.

CnC communication

Figure 6: The communication method of the CNC and the infected system

Microsoft added Bladabindi to the Malicious Software Removal Tool in January 2014. Jenxcus was added to the MSRT in February 2014. However, with aggressive infection and distribution methods, the malware authors and the distribution system behind them have continued to affect thousands of Microsoft customers every day.

Anyone concerned that their computer is infected with malware should follow the guidance available from the Microsoft Support Virus and Security Center. To help stay protected we also recommend you to install an up-to-date, real-time protection security product such as Microsoft Security Essentials.

Tanmay Ganacharya and Francis Tan Seng

MMPC


Comments (15)

  1. Mark Celis says:

    this must be apprehended..

  2. for you says:

    [tag:REKT]
    I just love how they do this.

  3. user1 says:

    Thank you for blocking my domain dynamic on no-ip.com .Now I wonder who will pay for the reconfiguration of hardware at the user – Microsoft?

    Greetings from Poland

  4. Gary Balkam says:

    I use my no-ip domain to connect my warcraft guild to my PERSONAL voice over IP murmur server. THIS ACTION, OF SEIZING NO-IP DOMAINS IS A DIRECT DENIAL OF SERVICE ATTACK affection ME and millions of other legitimate users. I have never even heard of these
    malwares and worms, and it is up to microsoft to FIX THEIR *** so that worms do not work on THEIR OS PLATFORMS, which, they are PAID to provide!!! I hold microsoft responsible to fix their security issues that allow these worms etc to work. HOTMAIL has been
    used for YEARS to propagate virus and malware, as well as windows messenger and MSN messenger and now skype messenger. Has microsoft taken action against any of these services? Have they fixed THEIR OWN services that have been plaguing end users for many many
    years with virii, malware, worms, and spreading these infections? Not that I have ever seen.

  5. disconnected says:

    breaking all of no-ip.org service to millions of customers is one of M$'s biggest blunders in modern times.

    -A

  6. TFTP 3828 & TFTP 124 says:

    The Digital Time Stamped Property Sheets document Trivial File Transfer Protocol
    TFTP124 Spybot Worm Virus Created 10/22/01 Microsoft Corporation Redmond Washington
    TFTP3828 Randex Worm Virus " " " " " " "
     
     
    clowns posing as Microsoft Digital Crimes Unit investigators tell a fictitious fairytale. CIA Operatives fulfilling their Satanic New World Order agenda…..

  7. Microsoft Bullshit says:

    A racist crock of absolute bullsh*t, by Microsoft Corp's imaginary investigators perpetrating fraud.

  8. still down says:

    Well done MickeySh*t!
    My no-ip is still down.

    Thanks for screwing up a few million users instead of fixing the security holes in your own f*****ing OS.

  9. pot - kettle ? says:

    I get several hundreds of trojans/spam/malware a month from Hotmail and Outlook users.
    Please tell me where I can get the control of these 2 domains so I can clean these up.

  10. the end of days says:

    microsoft dying….LINUX RULZ….
    broke my and my customers noip BUT MIKROTIK HAS CLOUD DOMAIN no more registrations just one click and have a (bit complicated) but static domain….
    thanks microsoft one of my customers has 40 machines with windows and 2 servers also witch will migrate to linux so no more paying bullshits…and i get my payment for migrating the machines…
    OPEN SOURCE THE FUTURE!!!

  11. Poor Excuse says:

    I hope WikiLeaks will publish the documents that suggest these virus families were just used by MS as a timely excuse to shut down no-ip.org in order to implement changes that will assist in squeeze more profits out of the domain. The critical user mass
    has been acquired – time to reap.

  12. GimmeGrohl says:

    Is there a website or book or any other place I can find instructions easy to understand and follow instructions on how to put Linux on my laptop and get rid of Microsoft? I am completely clueless about everything concerning my laptop, aside from the very
    basic stuff, but reading the above posts have convinced me that Microsoft is on board with the new world order world domination plan. Maybe they're not THAT extreme, but in my opinion, they're right up there with Big Pharmaceuticals and Big Medicine. That
    being said, Id really like to just like not to have to worry so much about the worms and virures, spyware and ma;ware

  13. JEHO says:

    GRACIAS

  14. Dymon says:

    I hate dis virus its making my PC operations 2 b difficult

  15. CommonSense says:

    The point is the you as the user are the security hole and as long as you exist hackers will find ways to exploit your stupidity.
    Microsoft is trying to stop the baby from choking on its own food and the baby gets angry for not being allowed to experiment.