Avast researchers recently came across a link pointing to an executable file hosted on the Web site of the Board of Regents of the State of Louisiana. "Websites directly serving executable files without any installer, archive, and further information ( hash, checksum…) are often interesting subjects for analysis," notes Avast's Jaromir Horejsi (h/t Softpedia).
The file connects to the legitimate Web site www.maxmind.com to get GeoIP information, downloads a Web counter, and connects the computer to the Sirefef peer-to-peer botnet, which doesn't use command and control servers. "Each member of this botnet has a list of several botnet peers which it maintains the connection and communicates with," Horejsi writes. "Botnet cannot be simply deactivated by disconnecting the main communication node, because there is no such node."
According to Horejsi, the Web counter is used to check the size of the botnet -- when Avast's testing computer downloaded the malware, it appeared to register more than 300,000 other infected machines.
"In this example we can see that even a binary downloaded from legitimate website can be malicious," Horejsi writes.