New DIY HTTP-based botnet tool spotted in the wild

by

Share this news now.

What are cybercrime-facilitating programmers up to when they’re not busy fulfilling custom orders? Releasing DIY (do-it-yourself) user-friendly tools allowing anyone an easy entry into the world of cybercrime, and securing their revenue streams thanks to the active advertisements of these tools across closed cybercrime-friendly Web communities.

In this post, I’ll profile a recently advertised DIY HTTP-based botnet tool, that allows virtually anyone to operate their own botnet.

More details:

Sample login page of the DIY HTTP-based botnet tool:

DIY_Botnet_Malware_Mexico_Cybercrime

Sample statistics page:

DIY_Botnet_Malware_Mexico_Cybercrime_01

As you can see in the attached screenshot, the botnet master has already managed to infect 232 hosts, 130 of which are based in Spain and are running Windows XP.

Sample commands list:

DIY_Botnet_Malware_Mexico_Cybercrime_02

Sample commands list, part two:

DIY_Botnet_Malware_Mexico_Cybercrime_03

The bot has a built-in pharming feature, a bit of an outdated approach for stealing accounting data compared to modern crimeware releases, but still highly effective on hosts where the user isn’t aware of how the process actually works.

Sample settings page:

DIY_Botnet_Malware_Mexico_Cybercrime_04

Actual description of the DIY HTTP-based botnet tool:

Coded in Visual Basic Script 6.0

Connect:

* – Domain 4 connections
* – Mutex Anti double execution
* – Access Key Exe (Server with password)
* – Antianalizadores (10-20 Pc locked, USA, ROMANIA, CHINA, GERMANY, ETC)
* – Description of the server for updates (Register exe version)
* – Melt function
* – Connection time 120 seconds (more than 1GB RAM VPS-10k)

————————————————– —————————-

Build options:

* – Download and run hidden mode
* – Upgrading Server (Need key exe) ‘download the new server.exe eliminating the current to be replaced by the new volk or some other botnet, the volk will be removed from windows start.
* – Remove Bot

Explorer options:
* – Navigate Website (Visible) ‘bots visit a url with the default explorer
* – Visit the website (Hidden) ‘bots visit a url in hidden mode

Banking Options:
* – Hosts Pharming (win32) ‘Bots are modified for visiting fake web ip / domain

WebPanel Options:
* – Command (Run Command) ‘is run by Bots, Shuffle, Country, Builder, Systema Operating or all bots
* – Setting User: Option to change password webpanel add user permissions, manager or just modding
* – BOTLIST: Displays the name of Bot, IP, PAIS, OPERATING SYSTEM, BUILD, AND LAST CONNECTION INFO EXE.
* – Statistics: Displays total bots, bots online, Offline Bots, Bots concect.

We’ll continue monitoring the development of this emerging ecosystem trend, and post updates as soon as new developments emerge.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.

Trackbacks

  1. [...] industry? If you answered yes to this question, then the do-it-yourself, HTTP-based botnet profiled on Webroot by Dancho Danchev may be just the opportunity you’ve been looking [...]