Let's create some awareness. Attached my sample collection, the latest one is version 761 and was compiled 10 days ago. MutliBanker (also called Patcher, BankPatch / BankPatcher) is still active (as fuck) and stealing peoples money - I no like that. Older versions used to modify system dlls but current versions all just write themselves into the winlogon registry key. It drops itself to %AppData%\appconf32.exe (but also comes with specific BHOs) and can be removed easily. MutliBanker is a very targeted operation, hence you don't read anything on AV blogs. AVs obviously don't care for such small botnets where only a few thousands of infected machines are involved while there are millions of infections on spam botnets and more noisy stuff like ZeuS/TDL4/etc. Here an overview of the samples I've analyzed:
Code: Select allVersion Date compiled Date domain registered Command & Control server
335 01-26-2011 03-28-2011 aaaadminmont.com
358 03-01-2011 05-04-2011 okrpdminmont.com
381 03-29-2011 06-02-2011 ekmxefnomosk.com
663 04-15-2012 04-16-2012 uuqzggelds.com
688 05-21-2012 05-21-2012 kcknierihon.com
688 05-21-2012 05-20-2012 eifxednog.com
688 05-21-2012 05-20-2012 zhikedsafe.com
689 05-22-2012 05-22-2012 cccaedsafe.com
714 06-28-2012 06-28-2012 syskesroater.com
743 08-01-2012 07-31-2012 ucwbierihon.com
745 08-04-2012 08-04-2012 cwebierihon.com
761 08-21-2012 08-20-2012 kyyrierihon.com
