Blue Botnet - HTTP Botnet

Found a sample in the wild .



the sample was uncrypted as well and its coded in .NET C# also .



also lets take a look inside ( .NET )



Traced bot back and found the host , hacked it , got his panel.rar lol so following pictures are just a demo
on my local net ..

// index.php 
?php
error_reporting(E_ERROR | E_PARSE);
if (file_exists("phash") == false){
 header("Location: register.php");
} else {
 $filename = "phash";
 $fp = fopen($filename, "r");
 $content = fread($fp, filesize($filename));
 fclose($fp);
 $storedPassHash = $content;
 $passHash = $_COOKIE['phash'];
 if (md5("randomsalt".$passHash) != $storedPassHash){
  header("Location: login.php");

Diferent ddos methods uses HTTP Proxy flood , Wordpres Pingback (xmlrpc) , TCP etc ...
looks like HyperBeamEngine



a demo of TCP flood , it requests
botserver/panel/target.ip
botserver/panel/target.method
botserver/panel/target.port





HTTP Flood , http proxys of setting are saved here " botserver/panel/proxy " thats how the bot reads it
if the target.method is HTTPFLOOD







Wordpress Pingback or how he calls it PRESS same as at the HTTPFLOD but here is the file savend uder
botserver/panel/blog thats the file which we add hosts at setting



an online running botnet i found is here :

hxxp://burimche.net/help/login.php
// all online ip's of bots
hxxp://burimche.net/help/visitors.txt
hxxp://burimche.net/help/target.ip
hxxp://burimche.net/help/target.method
hxxp://burimche.net/help/target.port
// online bots
hxx://burimche.net/help/botlogger.php

Want Sample and Panel ? conntact me at email , for research purposes only !!

Zeus / Cryptlocker - skid - information@jupimail.com

Found an easy modified zeus panel , after puting a shell into
so we got user and pass from database i found there was an
script enabled for download and execute a file see at pic3







Virustotatl update.src .. this is a cryptlocker



also the desktop after it execution



So it give's an email address and says that conntact him and send him an sum from 100$ then we get our files back ,
so i wrote him an email just for fun and after some conversation i told him i dont know what bitcoin is im just a stupid
user that lost his data and just want my data back, he responded like this



also an identity of a person , not sure if he is or like he said just a drop but he also send me other name's



I almost got him lol see following picture ..



and ye this was hist last message , PS lulz at his english

Bro you seriousl or you malware reserceher?


i give you valid details

My name is Ivan Fedorov

i am in Latvia




You sure you wont myhelp

i am sent you N7 msg

any who REALY need data computer ASK N1 GET BITCOIN


MAKE IN 48 HOURZ


I UZE ZEUS BOTNETZ

ANTI CORUPTIONZ ANTI ILLUMINATI SYSEM

HOW YOU R MOMA DIE SLOW IN HOSPITAL

YOU BE SOME 1 GUY RUS HOW YOU ПИДАРАЗ
MAKE PAUZE YOUR SELF!


ты вставляешь пралки в калеса я рублюза за норм и не трогаю руских


ты тебя мама кормит она скора умрет и будет повышенпие оплат за квартиры и за еду и комунальных услуг и тд


короче нахуй ты мне тут мозг ееш и на тебя размениваться

ЧТОБ ТВОЯ МАМА УМЕРЛА


YOUR MOM EAT MY EXE

DON KILUMINATI 7 DAY THEORY

IRC Botnet - 218.200.153.154 - PWNED

I don't know if this kid is just stupid or he really trying to dox me ,
if so keep it going lol . Another attack from him on my honeypot

and aggain he is using an IRC server for hosting bot's

PWNED aggain .. lolz

Bot - botnet1.zapto.org - IRC

dns : botnet1.zapto.org
dns2: nhg24.zapto.org

>> PASS NhG
<< NOTICE AUTH :*** eh...
>> NICK Taze{NhG-XP-USA}595632
>> USER 2847 "" "TsGh" :2847
<< 001 Taze{NhG-XP-USA}595632
<< 002 Taze{NhG-XP-USA}595632
<< 003 Taze{NhG-XP-USA}595632
<< 004 Taze{NhG-XP-USA}595632
<< 005 Taze{NhG-XP-USA}595632
<< 005 Taze{NhG-XP-USA}595632
<< 005 Taze{NhG-XP-USA}595632
<< 422 Taze{NhG-XP-USA}595632 :MOTD File is missing
>> JOIN #!Nh!# NhG
>> PING :HTTP1.4
>> PONG :HTTP1.4