Friday, April 20, 2007

Shots from the Malicious Wild West - Sample Five

Open source malware with a MSQL based web command and control? It's not just Sdbot and Agobot being the most popular malware groups that have such features by default, but pretty much every new bot famility. The Cyber Bot, a malware on demand is one of these. Among the typical DDoS capabilities such as SYN,ACK, ICMP, UDP, DNS and HTTP post and get floods, it offers various rootkit capabilities in between the ability to bypass popular AV and firewall software. I recently located various screenshots from the web command and control which I'm sure you'll find enlightening. A picture is worth a thousand fears as usual. Rather interesting, the bot is able to figure out whether the infected user is on a LAN, dialup, or behind a proxy connection, the rest of the statistics such as IP geolocation and infected users per OS are turning into a modular commodity. It's also worth noting that the web interface has the capability to offer access to the control panel to more than one registered user, which logically means that it's build with the idea to provide rental services.

Here's a related post with more web command and control screenshots, and another one taking into consideration various underground economics.