has been found a new botnet called "Kerber0s Bot Panel". This control panel is hosted at IP 46.166.163.127 belonging at the Provider INTERNET-SERVICES SANTREX in Romania
The Malware infection vector is downloaded from the address:
hxxp://46.166.163.127/1.exe
Size: 489,472
MD5: e3954dfb5e35eb32c02530838fa8d4c9
&
hXXp://
46.166.163.127/images/support/uTorrent.exe
Size: 896400
MD5:
59fe95f7fede6d69c007e2cd05356f07
The Control Panel Access Menu is located at URL: hxxp://46.166.163.127/login.php
The commands That can run this botnet at infected machines are the same as used by the Botnet Herpes:
Commands:
Download/Execute: Download and execute the specified file.
What to put in the variable box = The URL of the file to be
downloaded.
Update: Download and update.
What to put in the variable box = The URL of the file to be
downloaded and updated.
Visit Page [Visible]: Open the default browser and visits
the specified webpage.
What to put in the variable box = The URL of the page to be
visited.
Visit Page [Invisible]: Open Internet Explorer silently and
visits the specified webpage.
What to put in the variable box = The URL of the page to be
visited.
Upload Keylog: Sends the keylogger log to our server and you
will be able to download it
from the Bot Informations page. Attention, every uploaded
file will rest there for 15 minutes, and after will be deleted.
What to put in the variable box = Nothing.
Reset Keylog: Clears the key log.
What to put in the variable box = Nothing.
Upload Screenshot: Take a screenshot and sends to our server
and you will be able to download it
from the Bot Informations page. Attention, every uploaded
file will rest there for 15 minutes, and after will be deleted.
. What to put in the variable box = Nothing.
Upload Error Log: Sends the Error Log to our server and you
will be able to download it
from the Bot Informations page. Attention, every uploaded
file will rest there for 15 minutes, and after will be deleted.
What to put in the variable box = Nothing.
DDoS Webpage: Sends a request to the specified webpage for
60 seconds
(Please note that the bot will not execute commands for 60
seconds because is DDoSing. An high amount of selected online bots will crash
the webserver).
What to put in the variable box = The webpage to be
requested.
Silent CPU&GPU Bitcoin Miner: Start to use your bots to
make a lot of bitcoins.
What to put in the variable box =
http://workerusername:workerpassword@poolhost:poolport
Example: http://lollipop:byebye@pool.bitclockers.com:8332
Tip: For disabling mining just send this command with the
variable box empty.
Torrent Seeder v2.5+: Start to use your bots to seed your
torrent for you.
What to put in the variable box = The url of the .torrent
file to be downloaded
Example: http://www.mywebsite/download.torrent
Open and Close CD Tray v2.5.1+: Just opens or closes the CD
tray.
What to put in the variable box = Nothing.
Message Box v2.5.1+: Spawn a message box on the screen.
What to put in the variable box = The message to send.
Swap and Restore Mouse Buttons v2.5.1+: Swaps or return to
normal the mouse buttons.
What to put in the variable box = Nothing.
Uninstall: Remove Herpes from the system.
What to put in the variable box = Nothing.
In this criminal server infrastructure has been located the control panel "CASHMARKET AFFILIATE" that is the same botnet that the known Blackshades botnet but modified.
This control panel is accessed by malicious URL: hxxp://46.166.163.127/bs/
Criminals have not changed even the installation folder "BS" feature at BlackShade kit
No hay comentarios:
Publicar un comentario
Nota: solo los miembros de este blog pueden publicar comentarios.