jueves, 6 de septiembre de 2012

LetsBoot V1 (Pardooter) UDP DDOS attack tool.


LetsBoot V1 is a new tool for DDOS attack by sending massive UDP packets to  collapse the server target of the attack.

It is featured for not using thousands of bots machines as zombies platforms for mass sending UDP packets but uses a lists of server web sites that have been compromised before and installed PHPshell Scrips in its public directories to be used as attack vector for this mass sending of malicious UDP packets.

The advantage of this DDOS system is to have servers that are operating continuously instead of zombies machines that often depends of user keeping them on and they have not been removed by antivirus applications. Besides DDOS system is able to use the bandwidth of the compromised servers to send bulk packs attack that is far greater than providing input for example by using the zombies ADSL connection.
At the moment only have been found a beta  version V1 of this DDOS Tool

LetsBoot  application menu is accessed through the URL:

hxxp://boolbot.org/booter/

Showing the following login screen:


boolbot.org domain is hosted at IP 178.33.30.17 owning to provider JE-Eigen-DOMEIN.NL in Holland.
After accessing Control Panel displays the next information:


At BOOT option in the panel is requested a domain and port address against the user wants to launch the attack, as well as its duration.


In another option at control panel is setup the list of URLs that is hosting the malicious phpshell script used as mass UDP attack platform to selected target domain.


This list of addresses that are configured as attack vectors are the following:

hXXp://84.240.204.69/webdav/Shell.php          
hXXp://66.249.131.118/webdav/Shell.php        
hXXp://213.0.25.119/webdav/Shell.php             
hXXp://208.105.232.221/webdav/sectorx/udp.php      
hXXp://208.105.232.221/webdav/sectorx/udp.php      
hXXp://114.35.29.133/webdav/Shell.php          
hXXp://97.96.208.234/webdav/Shell.php          
hXXp://211.75.225.25/webdav/Shell.php          
hXXp://61.4.68.137/webdav/Shell.php               
hXXp://175.158.191.163/webdav/Shell.php      
hXXp://sexxx.sultryserver.com/udp.php          
hXXp://nightmaxxmm.sultryserver.com/          
hXXp://nightmare.sultryserver.com/   
hXXp://217.128.241.163/webdav/.Dav/Emb.php           
hXXp://thisisforfree.sultryserver.com
hXXp://randshits.sultryserver.com/     
hXXp://46.166.149.108/shell.php

Most of these addresses are active and ready to receive commands orders from the Control Panel.

As seen:





Control panel sends the attack order to all servers is configured on the list using this command:

http://URL_SERVERV/shell.php?act=phptools&host={HOST}&time={TIME}&port={PORT}

Where is indicated the domain and port of the target machine to collapse, and the duration of the incident.

It has been possible to get the PHP script that performs this UDP attack, and has been observed that there is concepts error programming it since the script not request the port as input parameter, it is randomly generated within the code. Therefore it is absurd to pass port parameter to PHP scripts application.


No hay comentarios:

Publicar un comentario en la entrada

Nota: solo los miembros de este blog pueden publicar comentarios.