[nsp-sec] Morto worm C&C (RDP Scanner)
Thomas Hungenberg
th.lab at hungenberg.net
Wed Aug 31 06:03:13 EDT 2011
Carles Fragoso wrote:
> BTW, any info about which kind of traffic profile uses Morto to communicate with C&C?
From:
http://www.securelist.com/en/blog/208193084/The_Miner_Botnet_Bitcoin_Mining_Goes_Peer_To_Peer
------------
To verify if a remote host is really part of the botnet, it is first probed on port 62999/tcp.
Afer that, all subsequent communication with that host takes place over HTTP connections on port 8080/tcp.
If a bot wants to receive a piece of information from the botnet, it sends a GET request for the
URL /search=[resource] to another peer
------------
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
More information about the nsp-security
mailing list