viernes, 9 de noviembre de 2012

Kerber0s Bot Panel


has been found a new botnet called "Kerber0s Bot Panel". This control panel is hosted at IP 46.166.163.127 belonging at the Provider INTERNET-SERVICES SANTREX in Romania

The Malware infection vector is downloaded from the address:

hxxp://46.166.163.127/1.exe

Size: 489,472
MD5: e3954dfb5e35eb32c02530838fa8d4c9

&

hXXp:// 46.166.163.127/images/support/uTorrent.exe

Size: 896400
MD5: 59fe95f7fede6d69c007e2cd05356f07


The Control Panel Access Menu is located at URL: hxxp://46.166.163.127/login.php




The commands That can run this botnet  at infected machines are the same as used by the Botnet Herpes:

Commands:

Download/Execute: Download and execute the specified file.
What to put in the variable box = The URL of the file to be downloaded.

Update: Download and update.
What to put in the variable box = The URL of the file to be downloaded and updated.

Visit Page [Visible]: Open the default browser and visits the specified webpage.
What to put in the variable box = The URL of the page to be visited.

Visit Page [Invisible]: Open Internet Explorer silently and visits the specified webpage.
What to put in the variable box = The URL of the page to be visited.

Upload Keylog: Sends the keylogger log to our server and you will be able to download it
from the Bot Informations page. Attention, every uploaded file will rest there for 15 minutes, and after will be deleted.
What to put in the variable box = Nothing.

Reset Keylog: Clears the key log.
What to put in the variable box = Nothing.

Upload Screenshot: Take a screenshot and sends to our server and you will be able to download it
from the Bot Informations page. Attention, every uploaded file will rest there for 15 minutes, and after will be deleted.
. What to put in the variable box = Nothing.

Upload Error Log: Sends the Error Log to our server and you will be able to download it
from the Bot Informations page. Attention, every uploaded file will rest there for 15 minutes, and after will be deleted.
What to put in the variable box = Nothing.

DDoS Webpage: Sends a request to the specified webpage for 60 seconds
(Please note that the bot will not execute commands for 60 seconds because is DDoSing. An high amount of selected online bots will crash the webserver).
What to put in the variable box = The webpage to be requested.

Silent CPU&GPU Bitcoin Miner: Start to use your bots to make a lot of bitcoins.
What to put in the variable box = http://workerusername:workerpassword@poolhost:poolport
Example: http://lollipop:byebye@pool.bitclockers.com:8332
Tip: For disabling mining just send this command with the variable box empty.

Torrent Seeder v2.5+: Start to use your bots to seed your torrent for you.
What to put in the variable box = The url of the .torrent file to be downloaded
Example: http://www.mywebsite/download.torrent

Open and Close CD Tray v2.5.1+: Just opens or closes the CD tray.
What to put in the variable box = Nothing.

Message Box v2.5.1+: Spawn a message box on the screen.
What to put in the variable box = The message to send.

Swap and Restore Mouse Buttons v2.5.1+: Swaps or return to normal the mouse buttons.
What to put in the variable box = Nothing.

Uninstall: Remove Herpes from the system.
What to put in the variable box = Nothing.


In this criminal server infrastructure has been located the control panel "CASHMARKET AFFILIATE" that is the same botnet that the known Blackshades botnet but modified.

This control panel is accessed by malicious URL: hxxp://46.166.163.127/bs/

Criminals have not changed even the installation folder "BS" feature at BlackShade kit



No hay comentarios:

Publicar un comentario en la entrada

Nota: solo los miembros de este blog pueden publicar comentarios.