So if you have been following my posts on this blog, you may have noticed a large number of posts about the “betabot” malware. Betabot is a http bot which is sold on hackforums.net. Despite a number of complaints about serious stability issues, it has become popular with some of the more dedicated script kiddy residents of that board, leading to the botnets posted on this blog.
Today I noticed an interesting feature included in betabot. The coder had apparently seen fit to include the hackforums nickname of the purchaser in each malware file. While the motive appears to be incompetence rather than malice, this has allowed me to link a number of the posted botnets with profiles on hackforums.
Marvid While Marvid has already left a number of clues about what botnets he controls (see his tag), this makes it official.
String: marvid82_v1$ Botnet
Cobraxxx
String: cobraxxx_v1$ Botnet
Solid006
String: solid006_v1$ Botnet
Shubhank
String: shubhank_v1$ Botnet
h4r3 (also on trojanforge)
String: h4r3_v1$ Botnet
(This betabot downloaded two citadel botnets)
Stringback
String: stringback_v1$ Botnet
Boing
String: boing_v1$ Botnet
Disfigure
String: 1427399_v1$ Botnet
Victory
String: 792476_v1$ Botnet
These are just the obvious ones. I’ll do a bit of searching and post some more soon.
Anonymous - September 17, 2013 at 9:50 pm
I run across multiple botnets in my job. Would you care for additional undiscovered botnets?
Pig - September 18, 2013 at 9:13 pm
feel free to upload samples and add them here 🙂
Anonymous - September 20, 2013 at 8:32 am
please post new version of betabot ( 1.5 ) thanks