The Hermes botnet has been developed to try to discover access credentials to servers or other services by distributed brute force attacks.
We are facing a botnet with a control panel almost identical to that used by the Zeus Trojan but with different functionalities.
It uses infected zombies users by the Trojan as attack vectors to spread the work process between them and that each infected computer perform multiple authentication attempts against the target machine. So we have an incredible Distributed Brute Force tool.
Here there is the Control Panel of the Hermes Botnet:
the greater number of compromised machines that command the panel greater brute force attack power, by throwing thousands of authentication attempts from different IP's.
This gets further confuse at security systems of attacked hosts by participating in the incident a variety of machines from different IP's simultaneously, making it difficult to block these IP's because is quite difficult to account for continuous requests from the same IP as the classic brute force attack incident.
In the settings menu shows the list of passwords to be used for brute force attack
In the Import option from the Panel Menu is selected the target machine against to perform the distributed brute force attack and the name of the file that have been previously uploaded with a list of usernames which will be launched the authentication attempts against the victim host with the combinations pair of username / password above
In this panel Hermes that was analyzed is seen how criminals have used it for testing using files with the IP address ranges of active machines that are hosted on Dreamhost and Godaddy USA ISP. And also the list of the files containing the list of usernames for the brute force attack.
The Usernames files contain list of people surnames & names to test.
AT Note option from panel can be seen how thousands of requests have been made against Godaddy addresses to test the HERMES Panel.
On day 05/12/2012 , 513.000 brute force authentication attempts were made against Godaddy serves at 18:15. 410,000 brute force authentication attempts were made at 21:15. 481.460 brute force authentication attempts were made at 22:44 ......... etc