Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Botnet
Message
<blockquote data-quote="Brianwill" data-source="post: 597" data-attributes="member: 15"><p> <ul> <li data-xf-list-type="ul">game0.exe - backdoor and bootloader in one package, this process started the rest;</li> <li data-xf-list-type="ul">game1.exe - SMTP server for sending spam;</li> <li data-xf-list-type="ul">game2.exe - email address Styler;</li> <li data-xf-list-type="ul">game3.exe -spam distribution module;</li> <li data-xf-list-type="ul">game4.exe - DDoS utility;</li> <li data-xf-list-type="ul">game5.exe - bot update process.</li> </ul><p>The code was run by the rootkit from%windir%\system32\wincom32.sys, which allowed you to bypass some security mechanisms. Although the rootkit code in the kernel doesn't care about any protection, because getting something out of the kernel, even knowing its internal structure, is not as trivial as it seems.</p><p></p><p>Also, the rootkit did not hesitate to fake antivirus programs so that the user would think that the protection was working normally, even though it did not work at all.</p><p></p><p>Thus, Storm became one of the first commercial ready-to-use spam tools. It may not have lasted long, but it showed the way to other attackers who began to act in a similar way.</p><p></p><p><strong>Mariposa</strong></p><ul> <li data-xf-list-type="ul"><strong>Brief description:</strong> Trojan worm</li> <li data-xf-list-type="ul"><strong>Years of life:</strong> 2009–2011</li> <li data-xf-list-type="ul"><strong>Number of infections:</strong> 12 + 11 million (two waves)</li> <li data-xf-list-type="ul"><strong>Distribution methods:</strong> pirated software, self-distribution via flash drives, peer-to-peer networks, and MSN messenger</li> <li data-xf-list-type="ul"><strong>Distribution:</strong> 190 countries</li> </ul><p>The Mariposa botnet ("butterfly" in Spanish) appeared in 2009 and was based on the Code of the Palevo Trojan, also known as Rimecud. Panda Labs estimated that the size of this giant butterfly was 12 million computers.</p><p></p><p>In the code, the bot was called somewhat more simply - Butterfly Bot, but no one forbids anyone to name things as they please, so antivirus companies came up with their own name and issued it as an official one. The author had to accept it.</p><p></p><p>The bot could work as a loader for other malware of all stripes, could get passwords from Firefox and IE out of the box, and raised HTTP and SOCKS proxies to cover up the attacker. And of course, DDoS, with two modules at once: TCP SYN flood and UDP flood.</p><p></p><p>One of the distribution methods was USB flash drives and at that time still worked autorun.ini. However, this was very annoying for the bot (it is not for nothing that it is based on Palevo): Mariposa created a highly obfuscated autoload file, in which instructions were mixed with a large number of characters of different encodings. So the ini file looked different every time.</p><p></p><p>The main activity of Mariposa was a Scam and already traditional DDoS. This included the theft of affected accounts from their computers and their subsequent resale. Then bank accounts were used to pay for services, and social networks were used for any kind of Scam. Spoiler alert: now the purpose of stolen data is exactly the same.</p><p></p><p>In terms of protection from studying, the bot authors tried their best: we enabled a lot of security features, which, however, still did not help to avoid closing the botnet. Security mechanisms include frequent updates and modifications to the binary code that allowed bypassing signature analysis, countering startup on virtual machines and in sandboxes, and a new secure Protocol for interacting with the command center based on UDP.</p><p></p><p>Unfortunately for the botnet authors (the DDP Team group from Spain directly stated its involvement), in December 2009, Mariposa's career was over. Researchers and the police managed to identify, capture and disable C&C servers in the same Spain. Three months later (in February), Spanish law enforcement officers arrested three members of the DDP Team. An interesting detail — none of those arrested knew how to program.</p><p></p><p>According to the Spanish police, the bot drivers were completely childish: they connected as admins to C&C from their home IP, instead of using a VPN or proxy. However, it was not possible to call the perpetrators to account, largely due to the fact that running a botnet at that time was not considered a crime in Spain at all, and for a criminal case, the police would have to prove that they stole information and then used it for profit. According to official information, private data of more than 800 thousand people in 190 countries were stolen with the help of Mariposa — however, it was not possible to apply this in the investigation for lack of solid evidence.</p><p></p><p>As a result, the investigation reached a dead end, and the administrators of Mariposa, who were released a couple of months later, visited the office of Panda Security, which had a significant hand in their capture, and began to ask them to hire them: according to them, they were completely out of money after the Mariposa infrastructure was destroyed. They left, of course, with nothing.</p><p></p><p>Despite the destruction of C&C Mariposa, since the end of 2010, the number of its detections began to grow again, and six months later another botnet based on the same Palevo, numbering about 11 million machines, was found. They called it Metulji ("butterfly" in Slovenian).</p><p></p><p>Just a month and a half to two months after the botnet was discovered, its operators, residents of Serbian Bosnia, were identified. The guys also didn't bother and spent money right and left. They were arrested jointly by the Slovenian police, the FBI and Interpol. Since then, Palevo and its derivatives have disappeared from the list of top threats.</p><p></p><p>As you can see, even kulhatskers with minimal knowledge can build botnets that are not sickly in number, even without using spam and exploit packs. Twelve million dollars out of the blue is a serious result.</p></blockquote><p></p>
[QUOTE="Brianwill, post: 597, member: 15"] [LIST] [*]game0.exe - backdoor and bootloader in one package, this process started the rest; [*]game1.exe - SMTP server for sending spam; [*]game2.exe - email address Styler; [*]game3.exe -spam distribution module; [*]game4.exe - DDoS utility; [*]game5.exe - bot update process. [/LIST] The code was run by the rootkit from%windir%\system32\wincom32.sys, which allowed you to bypass some security mechanisms. Although the rootkit code in the kernel doesn't care about any protection, because getting something out of the kernel, even knowing its internal structure, is not as trivial as it seems. Also, the rootkit did not hesitate to fake antivirus programs so that the user would think that the protection was working normally, even though it did not work at all. Thus, Storm became one of the first commercial ready-to-use spam tools. It may not have lasted long, but it showed the way to other attackers who began to act in a similar way. [B]Mariposa[/B] [LIST] [*][B]Brief description:[/B] Trojan worm [*][B]Years of life:[/B] 2009–2011 [*][B]Number of infections:[/B] 12 + 11 million (two waves) [*][B]Distribution methods:[/B] pirated software, self-distribution via flash drives, peer-to-peer networks, and MSN messenger [*][B]Distribution:[/B] 190 countries [/LIST] The Mariposa botnet ("butterfly" in Spanish) appeared in 2009 and was based on the Code of the Palevo Trojan, also known as Rimecud. Panda Labs estimated that the size of this giant butterfly was 12 million computers. In the code, the bot was called somewhat more simply - Butterfly Bot, but no one forbids anyone to name things as they please, so antivirus companies came up with their own name and issued it as an official one. The author had to accept it. The bot could work as a loader for other malware of all stripes, could get passwords from Firefox and IE out of the box, and raised HTTP and SOCKS proxies to cover up the attacker. And of course, DDoS, with two modules at once: TCP SYN flood and UDP flood. One of the distribution methods was USB flash drives and at that time still worked autorun.ini. However, this was very annoying for the bot (it is not for nothing that it is based on Palevo): Mariposa created a highly obfuscated autoload file, in which instructions were mixed with a large number of characters of different encodings. So the ini file looked different every time. The main activity of Mariposa was a Scam and already traditional DDoS. This included the theft of affected accounts from their computers and their subsequent resale. Then bank accounts were used to pay for services, and social networks were used for any kind of Scam. Spoiler alert: now the purpose of stolen data is exactly the same. In terms of protection from studying, the bot authors tried their best: we enabled a lot of security features, which, however, still did not help to avoid closing the botnet. Security mechanisms include frequent updates and modifications to the binary code that allowed bypassing signature analysis, countering startup on virtual machines and in sandboxes, and a new secure Protocol for interacting with the command center based on UDP. Unfortunately for the botnet authors (the DDP Team group from Spain directly stated its involvement), in December 2009, Mariposa's career was over. Researchers and the police managed to identify, capture and disable C&C servers in the same Spain. Three months later (in February), Spanish law enforcement officers arrested three members of the DDP Team. An interesting detail — none of those arrested knew how to program. According to the Spanish police, the bot drivers were completely childish: they connected as admins to C&C from their home IP, instead of using a VPN or proxy. However, it was not possible to call the perpetrators to account, largely due to the fact that running a botnet at that time was not considered a crime in Spain at all, and for a criminal case, the police would have to prove that they stole information and then used it for profit. According to official information, private data of more than 800 thousand people in 190 countries were stolen with the help of Mariposa — however, it was not possible to apply this in the investigation for lack of solid evidence. As a result, the investigation reached a dead end, and the administrators of Mariposa, who were released a couple of months later, visited the office of Panda Security, which had a significant hand in their capture, and began to ask them to hire them: according to them, they were completely out of money after the Mariposa infrastructure was destroyed. They left, of course, with nothing. Despite the destruction of C&C Mariposa, since the end of 2010, the number of its detections began to grow again, and six months later another botnet based on the same Palevo, numbering about 11 million machines, was found. They called it Metulji ("butterfly" in Slovenian). Just a month and a half to two months after the botnet was discovered, its operators, residents of Serbian Bosnia, were identified. The guys also didn't bother and spent money right and left. They were arrested jointly by the Slovenian police, the FBI and Interpol. Since then, Palevo and its derivatives have disappeared from the list of top threats. As you can see, even kulhatskers with minimal knowledge can build botnets that are not sickly in number, even without using spam and exploit packs. Twelve million dollars out of the blue is a serious result. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Botnet
Top