[nsp-sec] "Simplebot" -- a basic HTTP ddos bot
Jose Nazario
jose at arbor.net
Tue Jul 15 12:04:56 EDT 2008
i have one of these samples in my database that talks to this server.
looks like a simple ddos bot (hence the name, simplebot). current command
set:
C&C http://reno.wu.lt/ddos/update.php
COMMAND
1 http://deface.lt 80
malcode info:
MD5: 99e9c2d1f98e019b7ac1225173469e85
SHA1: 1e2a5ff3f4e0b4630244cc3398dd282a837f00be
File type: MS Windows PE
File size: 46282 bytes
no idea how big this botnet is. i don't seem to have any otehr samples.
it is compiled with MinGW GCC, not packed. drops the following files:
server.exe
omg.JPG
binded.jpg
%s\System32\exec1.exe
%s\System32\exec2.JPG
Creates Mutex: TsunamiOverHost
looks like a simple HTTP flooder, not terribly complex.
modestly well detected by AV, however inaccurate or disjointed the naming
may be:
Complete scanning result of "214827", processed in VirusTotal at
07/15/2008 16:44:16 (CET).
[ file data ]
* name..: 214827
* size..: 46282
* md5...: 99e9c2d1f98e019b7ac1225173469e85
* sha1..: 1e2a5ff3f4e0b4630244cc3398dd282a837f00be
* peid..: -
[ scan result ]
AhnLab-V3 2008.7.11.0/20080715 found [Win-Trojan/Xema.variant]
AntiVir 7.8.0.64/20080715 found [TR/Generic.76910.3]
Authentium 5.1.0.4/20080715 found [W32/Pws.AHGP]
Avast 4.8.1195.0/20080715 found [Win32:Trojan-gen {Other}]
AVG 7.5.0.516/20080715 found [Dropper.Agent.HZA]
BitDefender 7.2/20080715 found [Trojan.Dropper.RXT]
CAT-QuickHeal 9.50/20080714 found nothing
ClamAV 0.93.1/20080715 found [Trojan.Downloader-16241]
DrWeb 4.44.0.09170/20080715 found [Trojan.MulDrop.8371]
eSafe 7.0.17.0/20080714 found [Suspicious File]
eTrust-Vet 31.6.5956/20080715 found nothing
Ewido 4.0/20080715 found nothing
F-Prot 4.4.4.56/20080714 found [W32/Pws.AHGP]
F-Secure 7.60.13501.0/20080715 found nothing
Fortinet 3.14.0.0/20080715 found nothing
GData 2.0.7306.1023/20080715 found nothing
Ikarus T3.1.1.26.0/20080715 found [Trojan-Downloader.Win32.Agent.euy]
Kaspersky 7.0.0.125/20080715 found nothing
McAfee 5338/20080714 found nothing
Microsoft 1.3704/20080715 found [Trojan:Win32/Meredrop]
NOD32v2 3269/20080715 found nothing
Norman 5.80.02/20080715 found [W32/Malware.CWRL]
Panda 9.0.0.4/20080714 found [Suspicious file]
Prevx1 V2/20080715 found [Malicious Software]
Rising 20.53.12.00/20080715 found nothing
Sophos 4.31.0/20080715 found [Mal/Generic-A]
Sunbelt 3.1.1536.1/20080715 found [Trojan-Dropper.RXT]
Symantec 10/20080715 found [Infostealer.Gampass]
TheHacker 6.2.96.379/20080714 found nothing
TrendMicro 8.700.0.1004/20080715 found nothing
VBA32 3.12.8.0/20080715 found [Trojan.MulDrop.8371]
VirusBuster 4.5.11.0/20080715 found nothing
Webwasher-Gateway 6.6.2/20080715 found [Trojan.Generic.76910.3]
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list