HTBomber: A Botnet With Infinite Ringmasters

| | Comments (0)

"This is going to be the ultimate tool to take down a webserver of our choosing. I need you guys help distributing it." - The creator of the below Botnet and related executables

Here's an interesting (and particularly unpleasant) Botnet. While building out the net, the creator posted this to a forum:

"This is a screenshot of me testing the program against Google, using 1 bot. As you can see, the loop speed of the program is so fast that it's downloading at an incredible speed. According to NetLimiter, this bot was downloading from Google at almost 4 times my connection line speed max, and uploading over 40kb faster than my max line speed."

A few revisions later, and the botnet is ready to roll. This Botnet is highly unusual in that the creator is freely advertising its services from both his website and inside downloadable zips of the infection executables - absolutely anyone can jump into the IRC Channel and give commands to the Bots. See where that whole "Infinite Ringmaster" thing comes into play now? In this net, everybody is famous for 15 minutes (or until their Bots stop bombing websites, whichever comes first).

The infection files themselves are disguised to look like hacking programs - anyone considering jumping on the hacking bandwagon and running any of the following:

hbt1.gif

....will quickly find themselves dumped into the Botnet as a drone.

The text from the supplied Readme is as follows:

********** IRC v2.0 by **********

For you fools out there, don't run the EXE. That is the file that you pass around to the victims.
This is an IRC BOTNET. You must connect to the IRC server listed below to be able to access these bots.
This new version is a very powerful HTTP bomber, as you may have seen from the screenshot I posted.

This version also contains the capability of self updating.
I've done my best to hide this program from AV's by using EXE packers.

YOU MUST TYPE THE COMMAND EXACT, OR YOU WILL RECEIVE ERROR AND/OR CRASH THE BOT
YOU MUST TYPE THE COMMAND EXACT, OR YOU WILL RECEIVE ERROR AND/OR CRASH THE BOT
YOU MUST TYPE THE COMMAND EXACT, OR YOU WILL RECEIVE ERROR AND/OR CRASH THE BOT

*instructions for issuing commands removed*

For example: You want to bomb www.google.com. Go to that site in your browser, and find the path of an image hosted on the site. For www.google.com, their main logo is www.google.com/intl/en_ALL/images/logo.gif

It is CRUCIAL that you DO NOT type http:// into the address that you are bombing. The colon : in the http:// will disrupt the bots data parsing technique and could possibly crash the bot.

So, if you wanted to bomb google, 10,000 times, you would type to the bots this command

*bombing instructions removed*

=============================PLEASE NOTE=============================
The bots WILL TELL YOU when they are done with the last accepted
command! Do not flood the bots!
=====================================================================

The rest goes into detail about the function of the executables, the server to join, channel information and the password to enter the channel correctly. Of course, posting your Botnet login data like this is a crazy thing to do, because you're practically begging for people to enter the channel who don't know what they're doing and start screwing up on a grand scale.

Inexperienced botnet wielders can quite easily start breaking lots of things they might not have even intended as targets. And how many of them (when frustrated by their inability to control the bots) will simply start using the details to attack Google as detailed in the readme? It's unlikely this would cause any problems for Google, of course - however, the intention here seems to be to jam as many people into the pilot seat as possible and have them fire at will.

Never a good thing, especially when the Botnet owner himself is apparently feeling the strain as seen in his, er, welcoming message to visitors:

http://blog.spywareguide.com/upload/2008/02/angry_botnet_guy-thumb.gif
Click to Enlarge

...charming. As the executable files are being promoted on forums with up to 2000+ members (with the intention that they go out into the wide blue yonder and try to trick people into running the infection files) it could spread very quickly.

We detect this infection as HTBomber.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on February 20, 2008 11:07 AM.

Watch Out For Webcardmaster was the previous entry in this blog.

Biggest Wordlist Ever? is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.