{"id":24677,"date":"2013-05-13T23:53:57","date_gmt":"2013-05-14T06:53:57","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=24677"},"modified":"2025-06-06T02:12:03","modified_gmt":"2025-06-06T09:12:03","slug":"travnet-botnet-controls-victims-with-remote-admin-tool","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/","title":{"rendered":"Travnet Botnet Controls Victims With Remote Admin Tool"},"content":{"rendered":"<p>The malicious binary behind the Travnet botnet has been updated. The new code has a new compression algorithm, steals the list of running processes, adds new file extensions to its list of files to steal, and has improved its control commands. Also, after the malware has uploaded the stolen files on its remote server, the bot installs the malicious PCRat remote administration tool (RAT), which can take full control of the victim\u2019s machine. The control server and the list of file extensions are hard coded in the binary with a simple XOR key. Here is a look at the hard-coded XOR and decoded strings:<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_xored_strings.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24678\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_xored_strings-300x85.png\" alt=\"travnet_xored_strings\" width=\"300\" height=\"85\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_xored_strings-300x85.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_xored_strings-1024x293.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_xored_strings.png 1250w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The bot steals files with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .rtf, .pdf, .dwg, .cdw, and .cdr as well as source code files such as \u201c.c\u201d from the victim\u2019s machine. The three new file extensions:<\/p>\n<ul>\n<li>.dwg = used by CAD applications<\/li>\n<li>.cdw = used by CAD applications<\/li>\n<li>.cdr = used by CorelDraw applications<\/li>\n<\/ul>\n<p>The bot copies the main binary into the %TEMP% folder with the name cmss.exe, creates the startup link seruvice.lnk, and creates the mutex Assassin. The old Travnet bot used to initially steal a lot of information about a victim\u2019s machine, but the new binary collects only the list of running processes on the system. Here is a snippet of code from the new binary:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_process_lists.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24679\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_process_lists-273x300.png\" alt=\"travnet_process_lists\" width=\"273\" height=\"300\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_process_lists-273x300.png 273w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_process_lists.png 783w\" sizes=\"auto, (max-width: 273px) 100vw, 273px\" \/><\/a><\/p>\n<p>The bot creates process.dll in the %TEMP% folder and writes all running processes in it. The malware then compresses the file data using an algorithm similar to LZSS. The bot generates its own format with the magic string \u201cBegin\u201d and appends the compressed data to it. This formatted data is encoded with a custom Base64 algorithm before being sent over the wire.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travent_get_request1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24682\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travent_get_request1-300x291.png\" alt=\"travent_get_request\" width=\"300\" height=\"291\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travent_get_request1-300x291.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travent_get_request1-32x32.png 32w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travent_get_request1.png 841w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<h2><b>New Algorithm<\/b><\/h2>\n<p>In my <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/travnet-botnet-steals-huge-amount-of-sensitive-data\">earlier blog<\/a>, I wrote about the old Travnet bot&#8217;s using a variant of LZSS compression with sliding window of 65KB. The output of the compression was straightforward, reading bits from the start to the end of the full stream. The new binary modifies this algorithm, using 1,024 bytes in a sliding window and requires a fixed 10 bits to store the offset. The algorithm outputs 9 bits for a single byte (1 bit for the flag and 9 bits for literal) and 11 bits for flag and offset. The length of the match is written in a special way. To make standard decompression difficult, the bot writes the output byte in a different way by writing MSB bits into LSB bits in the output. This means you can\u2019t treat the first bit of whole steam as a flag bit. The compression algorithm needs to maintain the previously written bits count to avoid losing all bits. Here is a look at the pseudo code for the new algorithm:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_new_algo.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24684\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_new_algo-300x224.png\" alt=\"travnet_new_algo\" width=\"300\" height=\"224\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_new_algo-300x224.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_new_algo-1024x765.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_new_algo.png 1068w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The compressed data is appended to a 15-byte custom header:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_custom_header.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24686\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_custom_header-300x116.png\" alt=\"travnet_custom_header\" width=\"300\" height=\"116\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_custom_header-300x116.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_custom_header.png 690w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The structure of the custom format:<\/p>\n<ul>\n<li>2 bytes = compressed length<\/li>\n<li>2 bytes = compressed length<\/li>\n<li>5 bytes = string \u201cBegin\u201d<\/li>\n<li>1 byte = space<\/li>\n<li>4 bytes = random number<\/li>\n<li>1 byte = space<\/li>\n<li>\u2026\u2026\u2026\u2026. compressed data<\/li>\n<\/ul>\n<p>The preceding data is encoded with a similar custom Base64 algorithm as used previously. This data is first sent over the network to the remote server in an HTTP GET request format. The malicious control server replies with further commands. Decompressing the data using a new tool:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_tool_version2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24688\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_tool_version2-300x153.png\" alt=\"travnet_tool_version2\" width=\"300\" height=\"153\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_tool_version2-300x153.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_tool_version2.png 674w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The decompressed text now looks like this:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_decompressed_list.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24690\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_decompressed_list-300x162.png\" alt=\"travnet_decompressed_list\" width=\"300\" height=\"162\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_decompressed_list-300x162.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_decompressed_list.png 865w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>At this point, the attacker knows which processes are running on the victim\u2019s machine. The control server instructs the bot to upload important files. The bot scans all the drives for these files and creates index.ini, which contains the newly generated name and path of filenames:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_index_ini.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24692\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_index_ini-300x174.png\" alt=\"travnet_index_ini\" width=\"300\" height=\"174\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_index_ini-300x174.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_index_ini.png 1003w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Thus the malware steals all of the important files from the victim\u2019s machine. The new binary has only two commands, namely uninstall and upload.<\/p>\n<h2><b>PCRat\u00a0<\/b><\/h2>\n<p>Once the victim&#8217;s data has been uploaded, the control server instructs the bot to download and install the remote admin program PCRat, a malicious tool written in Chinese. I found a copy of the PCRat builder that supports English:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/pcrat_builder.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24693\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/pcrat_builder-300x198.png\" alt=\"pcrat_builder\" width=\"300\" height=\"198\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/pcrat_builder-300x198.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/pcrat_builder.png 991w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Once installed, PCRat connects to different remote control server on higher ports and sends information about the machine in encrypted format. Here is the packet capture:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/pcrat_get.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24695\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/pcrat_get-300x82.png\" alt=\"pcrat_get\" width=\"300\" height=\"82\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/pcrat_get-300x82.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/pcrat_get.png 722w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>PCRat first sends an HTTP GET request followed by encrypted data:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/pcrat_encrypt_traffic.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24696\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/pcrat_encrypt_traffic-300x153.png\" alt=\"pcrat_encrypt_traffic\" width=\"300\" height=\"153\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/pcrat_encrypt_traffic-300x153.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/pcrat_encrypt_traffic-1024x525.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/pcrat_encrypt_traffic.png 1205w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The structure of the PCRat encrypted data:<\/p>\n<ul>\n<li>5 bytes = magic string \u201cPCRat\u201d<\/li>\n<li>4 bytes = whole packet length<\/li>\n<li>4 bytes = compressed length of data<\/li>\n<li>\u2026 Zlib compressed data<\/li>\n<\/ul>\n<p><b>\u00a0<\/b>PCRat sends some information about system. The decompressed data:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/pcrat_data.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24697\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/pcrat_data-300x44.png\" alt=\"pcrat_data\" width=\"300\" height=\"44\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/pcrat_data-300x44.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/pcrat_data.png 449w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>PCRat has many commands to control the victim\u2019s machine:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/pcrat_cmmands.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-24699\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/pcrat_cmmands-254x300.png\" alt=\"pcrat_cmmands\" width=\"254\" height=\"300\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/pcrat_cmmands-254x300.png 254w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/pcrat_cmmands.png 767w\" sizes=\"auto, (max-width: 254px) 100vw, 254px\" \/><\/a><\/p>\n<p>The MD5 hashes:<\/p>\n<ul>\n<li>Updated Binary : 8D78A9E3DF1E19F9520F2BBB5F04CB54<\/li>\n<li>PCRat Binary: DA0C19DB8215D8CBF3D0FBA4A1A00183<\/li>\n<\/ul>\n<p>With the help of PCRat, the Travnet botnet takes full control of a victim\u2019s machine. The attackers behind Travnet are very active. Not only have they updated the main binary, but they are also randomly generating the .asp files that control the bot from their control servers. We have also seen that the attackers are actively restoring previous domains that were down and .asp files so that they can continue to collect data from previously infected machines.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The malicious binary behind the Travnet botnet has been updated. The new code has a new compression algorithm, steals the&#8230;<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[49,338],"coauthors":[3973],"class_list":["post-24677","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-botnet","tag-endpoint-protection"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Travnet Botnet Controls Victims With Remote Admin Tool | McAfee Blog<\/title>\n<meta name=\"description\" content=\"The malicious binary behind the Travnet botnet has been updated. The new code has a new compression algorithm, steals the list of running processes, adds\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Travnet Botnet Controls Victims With Remote Admin Tool | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"The malicious binary behind the Travnet botnet has been updated. The new code has a new compression algorithm, steals the list of running processes, adds\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2013-05-14T06:53:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-06T09:12:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_xored_strings.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1250\" \/>\n\t<meta property=\"og:image:height\" content=\"358\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"Travnet Botnet Controls Victims With Remote Admin Tool\",\"datePublished\":\"2013-05-14T06:53:57+00:00\",\"dateModified\":\"2025-06-06T09:12:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/\"},\"wordCount\":849,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_xored_strings-300x85.png\",\"keywords\":[\"botnet\",\"endpoint protection\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/\",\"name\":\"Travnet Botnet Controls Victims With Remote Admin Tool | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_xored_strings-300x85.png\",\"datePublished\":\"2013-05-14T06:53:57+00:00\",\"dateModified\":\"2025-06-06T09:12:03+00:00\",\"description\":\"The malicious binary behind the Travnet botnet has been updated. The new code has a new compression algorithm, steals the list of running processes, adds\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_xored_strings-300x85.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_xored_strings-300x85.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Travnet Botnet Controls Victims With Remote Admin Tool\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Travnet Botnet Controls Victims With Remote Admin Tool | McAfee Blog","description":"The malicious binary behind the Travnet botnet has been updated. The new code has a new compression algorithm, steals the list of running processes, adds","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Travnet Botnet Controls Victims With Remote Admin Tool | McAfee Blog","og_description":"The malicious binary behind the Travnet botnet has been updated. The new code has a new compression algorithm, steals the list of running processes, adds","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2013-05-14T06:53:57+00:00","article_modified_time":"2025-06-06T09:12:03+00:00","og_image":[{"width":1250,"height":358,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/05\/travnet_xored_strings.png","type":"image\/png"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"Travnet Botnet Controls Victims With Remote Admin Tool","datePublished":"2013-05-14T06:53:57+00:00","dateModified":"2025-06-06T09:12:03+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/"},"wordCount":849,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_xored_strings-300x85.png","keywords":["botnet","endpoint protection"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/","name":"Travnet Botnet Controls Victims With Remote Admin Tool | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_xored_strings-300x85.png","datePublished":"2013-05-14T06:53:57+00:00","dateModified":"2025-06-06T09:12:03+00:00","description":"The malicious binary behind the Travnet botnet has been updated. The new code has a new compression algorithm, steals the list of running processes, adds","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_xored_strings-300x85.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/05\/travnet_xored_strings-300x85.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/travnet-botnet-controls-victims-with-remote-admin-tool\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Travnet Botnet Controls Victims With Remote Admin Tool"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/24677","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=24677"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/24677\/revisions"}],"predecessor-version":[{"id":215196,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/24677\/revisions\/215196"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=24677"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=24677"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=24677"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=24677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}