To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- I've been trying to get a handle on how this botnet works for a while. In Febrary, their C&C server moved under the iframetraff / iframecash group, so I'm not sure if they still use this codebase, but it is certainly very interesting.
Like Joey, I lost my executables (probably stripped by AV somewhere along the way), but I have a packet capture of a full infection, which should have the binaries embedded inside. This is from one of the original infections I ran across, I think it was in June/August 2005. This was just when the iframe "hit men" just started building their economic model. If you're interested in the pcap file for the sake of furthering our understanding of http bots, and if you'd post any interesting findings to this list, send me a PGP key and I'll send you a copy of the file. If I recall correctly (I haven't opened the file in a few months), the capture file goes something like --generic web request --embedded banner ad request --iframe request --request for exploit code --binary download (I think there were 2-3 binaries) --beginning of the http phone-home (ie, request for cmd.txt) Joey Costoya wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > the snapshot by websense is similar (web layout, color scheme, and the > forms) to the c&c for a bot i previously encountered. for this > particular bot, it opens a file on the c&c web server every 5 seconds > or so. this file can be found at > > /cgi-bin/socks/bot/cmd.txt > > looks like that file contains the "commands" for the bot to execute, > very much the same to the IRC topic commands. > > unfortunately, i lost the sample (also forgot the detection name) > > > > On 4/15/06, Hubbard, Dan <[EMAIL PROTECTED]> wrote: >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> ---------- >> >> >> >> We have seen quite a few web-based bot controllers. Here are some >> screenshots. >> >> http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=257 >> >> >> >> >> >> >> >> ________________________________ >> From: David Cheney [mailto:[EMAIL PROTECTED] >> Sent: Fri 4/14/2006 3:58 PM >> To: Mary Henthorn; botnets@whitestar.linuxbox.org >> Subject: Re: [botnets] Web-Based Bots >> >> >> >> >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> ---------- >> I too am interested in botnets whose command and control mechanism is >> not IRC. The web and the community seem to be ripe with anecdotal >> evidence of elusive networks based on a variety of covert communication >> channels, but as of yet I have not seen any real evidence. There is an >> analysis of Phatbot which claims it uses a striped down version of >> WASTE: >> http://www.lurhq.com/phatbot.html >> >> But I haven't been able to confirm this one yet (looking for a sample). >> If anyone finds such a beast, I would greatly appreciate any evidence. >> >> --dgc >> >> -----Original Message----- >> From: Mary Henthorn [mailto:[EMAIL PROTECTED] >> Sent: Friday, April 14, 2006 1:38 PM >> To: botnets@whitestar.linuxbox.org >> Subject: Re: [botnets] Web-Based Bots >> >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> ---------- >> I haven't seen any response to this, but I'm also interested in >> web-based and other non-IRC C&C botnets. I appreciate the ideas people >> on this list shared with me and I'll use them when I watch the network >> this weekend. I'll let you know if I learn anything new about non-IRC >> C&C traffic. >> >> Mary >> >> >> -----Original Message----- >> From: Ken Dunham [mailto:[EMAIL PROTECTED] >> Sent: Wednesday, April 05, 2006 2:59 PM >> To: botnets@whitestar.linuxbox.org >> Subject: [botnets] Web-Based Bots >> >> >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> ---------- >> Hi, >> I'm going to do a little research on web-based bots to date. Does >> anyone have any examples of web-based bots, where they are controlled, >> where stats are provide, etc, to an HTTP solution rather than an IRC >> solution? >> >> Thanks, >> ken >> > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
