[nsp-sec] "Simplebot" -- a basic HTTP ddos bot
Marius Urkis
marius at litnet.lt
Wed Jul 16 05:22:05 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ack
(notified appropriate ISP)
Jose Nazario wrote:
| ----------- nsp-security Confidential --------
|
| i have one of these samples in my database that talks to this server.
| looks like a simple ddos bot (hence the name, simplebot). current
| command set:
|
| C&C http://reno.wu.lt/ddos/update.php
| COMMAND
| 1 http://deface.lt 80
|
| malcode info:
|
| MD5: 99e9c2d1f98e019b7ac1225173469e85
| SHA1: 1e2a5ff3f4e0b4630244cc3398dd282a837f00be
| File type: MS Windows PE
| File size: 46282 bytes
|
|
| no idea how big this botnet is. i don't seem to have any otehr samples.
|
| it is compiled with MinGW GCC, not packed. drops the following files:
|
| server.exe
| omg.JPG
| binded.jpg
| %s\System32\exec1.exe
| %s\System32\exec2.JPG
|
| Creates Mutex: TsunamiOverHost
|
| looks like a simple HTTP flooder, not terribly complex.
|
| modestly well detected by AV, however inaccurate or disjointed the
| naming may be:
|
| Complete scanning result of "214827", processed in VirusTotal at
| 07/15/2008 16:44:16 (CET).
|
| [ file data ]
| * name..: 214827
| * size..: 46282
| * md5...: 99e9c2d1f98e019b7ac1225173469e85
| * sha1..: 1e2a5ff3f4e0b4630244cc3398dd282a837f00be
| * peid..: -
|
| [ scan result ]
| AhnLab-V3 2008.7.11.0/20080715 found [Win-Trojan/Xema.variant]
| AntiVir 7.8.0.64/20080715 found [TR/Generic.76910.3]
| Authentium 5.1.0.4/20080715 found [W32/Pws.AHGP]
| Avast 4.8.1195.0/20080715 found [Win32:Trojan-gen {Other}]
| AVG 7.5.0.516/20080715 found [Dropper.Agent.HZA]
| BitDefender 7.2/20080715 found [Trojan.Dropper.RXT]
| CAT-QuickHeal 9.50/20080714 found nothing
| ClamAV 0.93.1/20080715 found [Trojan.Downloader-16241]
| DrWeb 4.44.0.09170/20080715 found [Trojan.MulDrop.8371]
| eSafe 7.0.17.0/20080714 found [Suspicious File]
| eTrust-Vet 31.6.5956/20080715 found nothing
| Ewido 4.0/20080715 found nothing
| F-Prot 4.4.4.56/20080714 found [W32/Pws.AHGP]
| F-Secure 7.60.13501.0/20080715 found nothing
| Fortinet 3.14.0.0/20080715 found nothing
| GData 2.0.7306.1023/20080715 found nothing
| Ikarus T3.1.1.26.0/20080715 found
[Trojan-Downloader.Win32.Agent.euy]
| Kaspersky 7.0.0.125/20080715 found nothing
| McAfee 5338/20080714 found nothing
| Microsoft 1.3704/20080715 found [Trojan:Win32/Meredrop]
| NOD32v2 3269/20080715 found nothing
| Norman 5.80.02/20080715 found [W32/Malware.CWRL]
| Panda 9.0.0.4/20080714 found [Suspicious file]
| Prevx1 V2/20080715 found [Malicious Software]
| Rising 20.53.12.00/20080715 found nothing
| Sophos 4.31.0/20080715 found [Mal/Generic-A]
| Sunbelt 3.1.1536.1/20080715 found [Trojan-Dropper.RXT]
| Symantec 10/20080715 found [Infostealer.Gampass]
| TheHacker 6.2.96.379/20080714 found nothing
| TrendMicro 8.700.0.1004/20080715 found nothing
| VBA32 3.12.8.0/20080715 found [Trojan.MulDrop.8371]
| VirusBuster 4.5.11.0/20080715 found nothing
| Webwasher-Gateway 6.6.2/20080715 found [Trojan.Generic.76910.3]
|
|
| -------------------------------------------------------------
| jose nazario, ph.d. <jose at arbor.net> security researcher, office of
| the CTO, arbor networks
| v: (734) 821 1427 http://asert.arbornetworks.com/
|
|
| _______________________________________________
| nsp-security mailing list
| nsp-security at puck.nether.net
| https://puck.nether.net/mailman/listinfo/nsp-security
|
| Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
| community. Confidentiality is essential for effective Internet security
| counter-measures.
| _______________________________________________
- --
Marius
=============================
~ Marius Urkis
~ LITNET CERT
~ http://cert.litnet.lt
~ Tel: +370 37 300645
~ GSM: +370 687 79059
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIfb29HS98nbdNAJwRAjeiAJ9RE7cvDb0Fr3ahAvfNPYWinbg0xwCfQwF4
tju70r67WQtus8++s2YLDy0=
=HybE
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list