Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Botnet
Message
<blockquote data-quote="Brianwill" data-source="post: 596" data-attributes="member: 15"><p>Storm (aka Zhelatin) was first spotted in early 2007 and sent out under the guise of records of destruction due to severe storms in Europe. From the very beginning, the bot used social engineering in emails, and even such "news" as the resurrection of Saddam Hussein was indicated as bait in the topic. But if SI was the only feature of the Storm botnet, it would not have been included in our selection. For its time, Storm was probably the most technologically advanced malware. It implements a decentralized p2p management system based on the Overnet Protocol (based on the eDonkey network) and server-side polymorphism.</p><p></p><p>Server polymorphism was previously used only in the Stration botnet, which first appeared in 2006. Subsequently, there was a short and not particularly interesting war for users ' computers between this botnet and Storm. However, at one point Storm accounted for up to 8% of all malware on Windows computers.</p><p></p><p>In July 2007, at the peak of its growth, the botnet generated about 20% of all spam on the Internet, sending it from 1.4 million computers. He was engaged in the promotion of medicines and other medicines: both relatively legal, like viagra, and prohibited.</p><p></p><p>Around the same time, attempts were made to break the botnet into several separate subnets. Perhaps the authors wanted to sell access to infected machines in parts to interested parties. Either way, it didn't work out.</p><p></p><p>The botnet was quite brutal in protecting its resources from too curious researchers. When frequent requests were detected from the same address to download bot updates, which is what antivirus companies like to do, the bots launched a DDoS attack on this address. In addition, the websites of companies that prevented the botnet owners from doing their dirty work were attacked with varying success. So, as a result of DDoS attacks, the Spamhaus, SURBL (Spam URI Realtime Blocklists) and URIBL (Realtime URI Blacklist) services were disrupted for a short time. This was necessary to prevent anti-spam solutions from updating databases and blocking mailings.</p><p></p><p>At some point, the total performance of PCs infected with the "Storm" surpassed the then supercomputers. Imagine what power the owners of Storm had in their hands! If they decided to do parallel computing instead of sending spam… However, let's not talk about sad things. The cryptocurrencies that you were thinking about mining, of course, were not yet born out of Satoshi Nakamoto's ideas, so there was nothing to mine. It's a pity. In the role of a malicious miner, a botnet would look much more interesting in our selection.</p><p></p><p>So it would have continued, but at the end of 2008, the botnet, as if by magic, disappeared. Kaspersky Lab believes that this happened due to the closure of the Russian Business Network, a criminal abusive hosting service from Russia. According to another version, which seems more real to me, Storm was destroyed by security researchers. At the Chaos Communication Congress conference (December 2008), a group of hackers showed the tool Stormfucker, which, using a bug in Storm, independently spread through the Overnet network and treated infected computers. And in Microsoft, as usual, what is happening is interpreted in its own way: they believe that the Windows update helped get rid of the botnet. The experts did not agree on one thing.</p><p></p><p>Of course, a place in the sun is usually not empty, and with the demise of Storm, a new botnet from the Waledac Trojan appeared. Although the code was completely different from its predecessor, Waledac suspiciously resembled Storm in some features: the use <a href="https://en.wikipedia.org/wiki/Fast_flux" target="_blank">of Fast Flux</a> C&C hosting, server polymorphism, spam distribution functions and a p2p update mechanism. Even the spam email templates were almost identical to those from Storm. Waledac advertised the same products from the same sellers as Storm. A visual demonstration of how one botnet is covered up and replaced immediately by a new one.</p><p></p><p>Storm seemed like a Ghost until 2010, when members of the Honeynet Project discovered a new version of it. It consisted of approximately two-thirds of the code of the first version: 236 of the worm's 310 functions remained unchanged. The piece responsible for peering went to the trash (it seems that it was due to Stormfucker), and the communication Protocol with C&C was changed to HTTP (previously, sockets were changed to TCP). Fortunately, Storm 2.0 was not as widely adopted as its older brother, which could have happened due to the transfer of raw materials of the first version to another development team.</p><p></p><p>It was relatively easy to notice the symptoms of infection if you monitored attempts to start processes. Malicious processes were usually named gameX.exe, where X is the number. The following options are possible:</p></blockquote><p></p>
[QUOTE="Brianwill, post: 596, member: 15"] Storm (aka Zhelatin) was first spotted in early 2007 and sent out under the guise of records of destruction due to severe storms in Europe. From the very beginning, the bot used social engineering in emails, and even such "news" as the resurrection of Saddam Hussein was indicated as bait in the topic. But if SI was the only feature of the Storm botnet, it would not have been included in our selection. For its time, Storm was probably the most technologically advanced malware. It implements a decentralized p2p management system based on the Overnet Protocol (based on the eDonkey network) and server-side polymorphism. Server polymorphism was previously used only in the Stration botnet, which first appeared in 2006. Subsequently, there was a short and not particularly interesting war for users ' computers between this botnet and Storm. However, at one point Storm accounted for up to 8% of all malware on Windows computers. In July 2007, at the peak of its growth, the botnet generated about 20% of all spam on the Internet, sending it from 1.4 million computers. He was engaged in the promotion of medicines and other medicines: both relatively legal, like viagra, and prohibited. Around the same time, attempts were made to break the botnet into several separate subnets. Perhaps the authors wanted to sell access to infected machines in parts to interested parties. Either way, it didn't work out. The botnet was quite brutal in protecting its resources from too curious researchers. When frequent requests were detected from the same address to download bot updates, which is what antivirus companies like to do, the bots launched a DDoS attack on this address. In addition, the websites of companies that prevented the botnet owners from doing their dirty work were attacked with varying success. So, as a result of DDoS attacks, the Spamhaus, SURBL (Spam URI Realtime Blocklists) and URIBL (Realtime URI Blacklist) services were disrupted for a short time. This was necessary to prevent anti-spam solutions from updating databases and blocking mailings. At some point, the total performance of PCs infected with the "Storm" surpassed the then supercomputers. Imagine what power the owners of Storm had in their hands! If they decided to do parallel computing instead of sending spam… However, let's not talk about sad things. The cryptocurrencies that you were thinking about mining, of course, were not yet born out of Satoshi Nakamoto's ideas, so there was nothing to mine. It's a pity. In the role of a malicious miner, a botnet would look much more interesting in our selection. So it would have continued, but at the end of 2008, the botnet, as if by magic, disappeared. Kaspersky Lab believes that this happened due to the closure of the Russian Business Network, a criminal abusive hosting service from Russia. According to another version, which seems more real to me, Storm was destroyed by security researchers. At the Chaos Communication Congress conference (December 2008), a group of hackers showed the tool Stormfucker, which, using a bug in Storm, independently spread through the Overnet network and treated infected computers. And in Microsoft, as usual, what is happening is interpreted in its own way: they believe that the Windows update helped get rid of the botnet. The experts did not agree on one thing. Of course, a place in the sun is usually not empty, and with the demise of Storm, a new botnet from the Waledac Trojan appeared. Although the code was completely different from its predecessor, Waledac suspiciously resembled Storm in some features: the use [URL='https://en.wikipedia.org/wiki/Fast_flux']of Fast Flux[/URL] C&C hosting, server polymorphism, spam distribution functions and a p2p update mechanism. Even the spam email templates were almost identical to those from Storm. Waledac advertised the same products from the same sellers as Storm. A visual demonstration of how one botnet is covered up and replaced immediately by a new one. Storm seemed like a Ghost until 2010, when members of the Honeynet Project discovered a new version of it. It consisted of approximately two-thirds of the code of the first version: 236 of the worm's 310 functions remained unchanged. The piece responsible for peering went to the trash (it seems that it was due to Stormfucker), and the communication Protocol with C&C was changed to HTTP (previously, sockets were changed to TCP). Fortunately, Storm 2.0 was not as widely adopted as its older brother, which could have happened due to the transfer of raw materials of the first version to another development team. It was relatively easy to notice the symptoms of infection if you monitored attempts to start processes. Malicious processes were usually named gameX.exe, where X is the number. The following options are possible: [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Botnet
Top