Skip to main content

Botnet found!


A few days ago I analyzed a suspicious program.
A friend of mine downloaded it thinking it was a utility.
The program apparently did nothing.
I disassembled the program and found many interesting things.
The program is a hidden remote control.
It works in this way:
1) It connects to a private irc server.
2) It joins an irc channel.
3) It waits there for commands.

There are 54 supported command in the "bot" ranging
from launching DDOS attacks to keystroke logging.

Obviously i recovered the bot(s) password and I could easily take over the whole botnet.
I then disguised as an "infected" bot and joined the channel.
I found more than 500 PCs waiting for commands there.

I think the number of infected PCs may range from 1000 to 10.000..

I don't know what to do now.
Who to report this?

If you have any clues, let me know.
Namaste,
Zibri

Labels:

Comments

  1. douglaslpsNovember 9, 2010 at 2:14 AM

    Aewsome!

    ReplyDelete
  2. UnknownNovember 10, 2010 at 7:44 AM

    Report to any police authority? Even I doubt they can do something, unless they already tail that...

    ReplyDelete
  3. ZibriNovember 10, 2010 at 10:51 AM

    Hmm.. yes.. but I wonder if there's something more specific and internet based.

    ReplyDelete
  4. QurtNovember 11, 2010 at 2:55 AM

    sell info to antivirus company like Symantec :-)

    ReplyDelete
  5. ZibriNovember 11, 2010 at 9:49 AM

    @Qurt: nice one. Do you have any contact?

    ReplyDelete
  6. AnonymousNovember 14, 2010 at 3:17 AM

    In my opinion a CERT (Computer Emergency Response Team) is the correct contact. A survey of European CERTs is available at http://www.enisa.europa.eu/act/cert/background/inv for example. Your feedback would be very appreciated.

    ReplyDelete
  7. UnknownNovember 20, 2010 at 6:50 AM

    Just for fun, u could invade the private irc server and take control of its admin machine :P leave a threatning message to never try that again :)

    Btw, what's the utility name so we can avoid downloading it?

    ReplyDelete
  8. ZibriNovember 20, 2010 at 9:32 AM

    It has multiple names.. Like a virus. It's not a specific one.

    I found it in a fake 3d game mod utility.

    ReplyDelete

Post a Comment

Popular posts from this blog

TP-LINK Configuration file encrypt and decrypt.

Here we go! TP-Link is another company that thinks that security by obscurity could ever work. If you "backup" the configuration from most TP-Link routers, you will get a .BIN file which is "encrypted". Use this utility below, to decrypt it (so you can edit it) and encrypt it again. Have fun. Drop files here or
24 comments
Read more

Powerline Ethernet fun and secrets.

Many 200 Mb/s powerline adapters nowadays are based on the INTELLON 6300 chipset. Despite what can be thought looking at them, they are all using the same hardware and firmwares. I heard many people with Netgear XAV101 or Linksys PLK 200 or PLE 200 having problems after firmware updates and many other people with other brands having much more problems because of lack of support or configuration/upgrade utilities. So let me explain a few things I learnt studying them. Many of 200 Mb/s powerline ethernet adapters follow the "HomePlug AV" standard. (85 Mb adapters use HomePlug 1.0 standard which is completely different). This standard uses ethernet broadcast packets using the HomePlug AV protocol. The interesting thing is that their firmware is made of two different parts: a .PIB file (Parameter Information Block) and a .NVM file (the code itself). In the P.I.B. there are many interesting things: The branding (mac address, device name, etc) and the tone map. I test
219 comments
Read more

Obfuscation will never work.

ml> Hello again, sweet readers ! OpenRG is an embedded OS for routers. It's based on Linux and it's inside many ISP routers out there. Inside OpenRG configuration file, passwords appear in a way that can seem to be crypted, but it's just obfuscated. For example: (username(admin)) (password(&b7;X&5c;&b9;&a2;)) Above you can see a simple deobfuscator. Enjoy! You can try it with: &ad;Y&5b;&b3;&a3;&17;T&8b;&c4;&b9;#&96;&04;c&ea;&1d;$%&5d;&16;&08;B3&c0; :) Zibri.
26 comments
Read more