[nsp-sec] Morto worm C&C (RDP Scanner)
Thomas Hungenberg
th.lab at hungenberg.net
Thu Sep 1 04:07:12 EDT 2011
Sorry, I mixed up Miner and Morto...
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
Thomas Hungenberg wrote:
> ----------- nsp-security Confidential --------
>
> Carles Fragoso wrote:
>> BTW, any info about which kind of traffic profile uses Morto to communicate with C&C?
>
> From:
> http://www.securelist.com/en/blog/208193084/The_Miner_Botnet_Bitcoin_Mining_Goes_Peer_To_Peer
> ------------
> To verify if a remote host is really part of the botnet, it is first probed on port 62999/tcp.
> Afer that, all subsequent communication with that host takes place over HTTP connections on port 8080/tcp.
> If a bot wants to receive a piece of information from the botnet, it sends a GET request for the
> URL /search=[resource] to another peer
> ------------
>
>
> - Thomas
>
> CERT-Bund Incident Response & Anti-Malware Team
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list