Skip to main content

Botnet found!


A few days ago I analyzed a suspicious program.
A friend of mine downloaded it thinking it was a utility.
The program apparently did nothing.
I disassembled the program and found many interesting things.
The program is a hidden remote control.
It works in this way:
1) It connects to a private irc server.
2) It joins an irc channel.
3) It waits there for commands.

There are 54 supported command in the "bot" ranging
from launching DDOS attacks to keystroke logging.

Obviously i recovered the bot(s) password and I could easily take over the whole botnet.
I then disguised as an "infected" bot and joined the channel.
I found more than 500 PCs waiting for commands there.

I think the number of infected PCs may range from 1000 to 10.000..

I don't know what to do now.
Who to report this?

If you have any clues, let me know.
Namaste,
Zibri

Labels:

Comments

  1. douglaslpsNovember 9, 2010 at 2:14 AM

    Aewsome!

    ReplyDelete
  2. UnknownNovember 10, 2010 at 7:44 AM

    Report to any police authority? Even I doubt they can do something, unless they already tail that...

    ReplyDelete
  3. ZibriNovember 10, 2010 at 10:51 AM

    Hmm.. yes.. but I wonder if there's something more specific and internet based.

    ReplyDelete
  4. QurtNovember 11, 2010 at 2:55 AM

    sell info to antivirus company like Symantec :-)

    ReplyDelete
  5. ZibriNovember 11, 2010 at 9:49 AM

    @Qurt: nice one. Do you have any contact?

    ReplyDelete
  6. AnonymousNovember 14, 2010 at 3:17 AM

    In my opinion a CERT (Computer Emergency Response Team) is the correct contact. A survey of European CERTs is available at http://www.enisa.europa.eu/act/cert/background/inv for example. Your feedback would be very appreciated.

    ReplyDelete
  7. UnknownNovember 20, 2010 at 6:50 AM

    Just for fun, u could invade the private irc server and take control of its admin machine :P leave a threatning message to never try that again :)

    Btw, what's the utility name so we can avoid downloading it?

    ReplyDelete
  8. ZibriNovember 20, 2010 at 9:32 AM

    It has multiple names.. Like a virus. It's not a specific one.

    I found it in a fake 3d game mod utility.

    ReplyDelete

Post a Comment

Popular posts from this blog

TP-LINK Configuration file encrypt and decrypt.

Here we go! TP-Link is another company that thinks that security by obscurity could ever work. If you "backup" the configuration from most TP-Link routers, you will get a .BIN file which is "encrypted". Use this utility below, to decrypt it (so you can edit it) and encrypt it again. Have fun. Drop files here or
24 comments
Read more

Huawei E585 Unlock download!

Here is the unlocker for you to download! Highlights: 1) very fast (2-3 seconds) 2) Compatible with Xp, Vista and Win7 3) easy to use. Instructions: Download the program. Run the program. Donate via paypal and PASTE the  confirmation number  of your donation. The transaction id should work after a minute from your donation. Donate using the window opened by the program. The code will work only on the PC you run the program. This program works only with Huawei E585. Send me an email if you need an unlimited version. (Unlimited number of unlocks) Note: If the program says "Connect card." that means that E585 drivers are not installed correctly. Remove any "wifi manager" and old drivers, then reinstall E585 drivers from it's virtual cdrom. Please be sure that you have run "autorun.exe" which should have appeared in a pop-up window when you first inserted the Mifi.  This is required to install all the drivers that are needed for the modificatio...
226 comments
Read more

Huawei E585 Unlock download!!!

Here is the unlocker for you to download! Highlights: 1) very fast (2-3 seconds) 2) Compatible with Xp, Vista and Win7 3) easy to use. Instructions: Download the program. Donate via paypal and PASTE the confirmation number  of your donation. The transaction id should work after a minute from your donation. Donate using the window opened by the program. The code will work only on the PC you run the program. This program works only with Huawei E585. Send me an email if you need an unlimited version. (Unlimited number of unlocks) Note: If the program says "Connect card." that means that E585 drivers are not installed correctly. Remove any "wifi manager" and old drivers, then reinstall E585 drivers from it's virtual cdrom. Please be sure that you have run "autorun.exe" which should have appeared in a pop-up window when you first inserted the Mifi.  This is required to install all the drivers that are needed for the modification.  If you have ...
187 comments
Read more