We Promised Botnet Crazy, and we Deliver..

|

Every now and again, I see people firing URLs into chat-rooms - and this particular link (from an anonymous tipoff) would lead me to rather unusual destination. It's one of the oddest Botnet escapades I've seen in a while.

Our tale begins with me downloading and running an executable I'd been informed about. In case you're wondering (and you probably are), they've cunningly disguised it as a movie file:

gncinffile1.jpg

...clever, eh? Well, not really. But you'd be amazed how many people will fall for something like this. And seeing how Botnets are flavour of the month around here at the moment, I thought I'd have a poke around this little operation and see what I could find. You'll never guess where this one ends up though...

http://blog.spywareguide.com/upload/2006/06/welcomegnc-thumb.jpg
Click image to enlarge

...and we're in! Small to average sized net, as you can see from the numbers in the picture. Checking out the first channel didn't really bring up anything interesting - just the usual Botnet channel scanning for vulnerabilities:

http://blog.spywareguide.com/upload/2006/06/gncchan1-thumb.JPG
Click image to enlarge

Nothing to see here then, right?

Wrong. Because we still have one channel left, and it's the channel that's going to confirm the relation between the random URL link from my tipoff and this particular Botnet:

http://blog.spywareguide.com/upload/2006/06/gncchan2-thumb.jpg
Click image to enlarge

Now, deciding to investigate further, I went and checked out the site that this thing came from. usually it's an otherwise empty "holding page", or a site advertising pills of some description - imagine my surprise, then, when I saw the site hosting this thing was...

http://blog.spywareguide.com/upload/2006/05/gncforum-thumb.jpg
Click image to enlarge

Yep, a popular forum (3,500 or so users!) about Christianity.

Of course, it's entirely possible that the site could have been hacked and a single file has been dumped there, randomly. It happens all the time. However - go back a step and check out the directory that the executable is sitting in:

http://blog.spywareguide.com/upload/2006/05/gncfiles-thumb.jpg
Click image to enlarge

Oh noes!

A whole pile of extremely nasty files. In addition, this directory has nothing to do with the Forum, so someone has some pretty high level access going on there.

Worse still, the first file appeared on the 26th December 05...and we know what day comes before the 26th, right? And the files have continued to grow until the 25th May 06.

So, we have a pile of nasty files, all sitting in a directory hidden behind a religious interest forum, with some of the files being used in a mini-Botnet Empire.

Did I mention the files were nasty?

Oh, yes indeed.

Some kick IRC into life in a vaguely obvious "you've been jacked" kind of fashion:

http://blog.spywareguide.com/upload/2006/06/gncircbx1-thumb.jpg
Click to enlarge

One of the files completely kills your ability to browse the web - IE? Firefox? Opera? Doesn't matter, it'll break them all. Another slaps you down with a lovely slice of virus pie, and if you're insane enough to run everything there just for laughs, well, don't be surprised when your PC slows to a crawl and demands to be put out of its misery.

As of this moment in time, Wayne Porter has attempted to contact the site owners via Email (it bounced due to the mailbox being full) and via their DNS information - so far, no reply. We'll keep you updated on how this one goes...

About this Entry

This page contains a single entry by Christopher Boyd published on June 1, 2006 12:07 PM.

Return of The Yap Browser was the previous entry in this blog.

IST Adware Via WMV Files is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.