Friday, April 20, 2007

Shots from the Malicious Wild West - Sample Six

Continuing the "Malicious Wild West" series, the Blacksun RAT integration on the web is so modules-friendly it makes you wonder why it's not another case study on malware on demand, but a publicly obtainable open source malware like it is. Process injections in explorer.exe by default, and with a default port 2121, this HTTP bot is still in BETA. And BETA actually means more people will play around with the code, and add extended functionalities into it. There's a common myth that the majority of botnets are still operated through IRC based communications, and despite that there're still large botnets receiving commands through IRC, there's an ongoing shift towards diversification and HTTP in all of its tunneling and covert beauty seems to be a logical evolution.

Here are some commands included in default admin.php that speak for themselves :

OPTION value=cmd
OPTION value=cmd
OPTION value=bindshell
OPTION value=download
OPTION value=ftp_upload
OPTION value=msgbox
OPTION value=power
OPTION value=monitor
OPTION value=cdrom
OPTION value=keyboard
OPTION value=mouse
OPTION value=crazymouse
OPTION value=funwindows
OPTION value=version
OPTION value=exitprocess
OPTION value=killmyself

Killmyself is quite handy in case you get control of the botnet in one way or another and desinfect the entire population with only one command. Stay tuned for various other "releases" in the upcoming virtual shots during the next couple of days.