New DIY HTTP-based botnet tool spotted in the wild

By Dancho Danchev

What are cybercrime-facilitating programmers up to when they’re not busy fulfilling custom orders? Releasing DIY (do-it-yourself) user-friendly tools allowing anyone an easy entry into the world of cybercrime, and securing their revenue streams thanks to the active advertisements of these tools across closed cybercrime-friendly Web communities.

In this post, I’ll profile a recently advertised DIY HTTP-based botnet tool, that allows virtually anyone to operate their own botnet.

More details:

Sample login page of the DIY HTTP-based botnet tool:


Sample statistics page:


As you can see in the attached screenshot, the botnet master has already managed to infect 232 hosts, 130 of which are based in Spain and are running Windows XP.

Sample commands list:


Sample commands list, part two:


The bot has a built-in pharming feature, a bit of an outdated approach for stealing accounting data compared to modern crimeware releases, but still highly effective on hosts where the user isn’t aware of how the process actually works.

Sample settings page:


Actual description of the DIY HTTP-based botnet tool:

Coded in Visual Basic Script 6.0


* – Domain 4 connections
* – Mutex Anti double execution
* – Access Key Exe (Server with password)
* – Antianalizadores (10-20 Pc locked, USA, ROMANIA, CHINA, GERMANY, ETC)
* – Description of the server for updates (Register exe version)
* – Melt function
* – Connection time 120 seconds (more than 1GB RAM VPS-10k)

————————————————– —————————-

Build options:

* – Download and run hidden mode
* – Upgrading Server (Need key exe) ‘download the new server.exe eliminating the current to be replaced by the new volk or some other botnet, the volk will be removed from windows start.
* – Remove Bot

Explorer options:
* – Navigate Website (Visible) ‘bots visit a url with the default explorer
* – Visit the website (Hidden) ‘bots visit a url in hidden mode

Banking Options:
* – Hosts Pharming (win32) ‘Bots are modified for visiting fake web ip / domain

WebPanel Options:
* – Command (Run Command) ‘is run by Bots, Shuffle, Country, Builder, Systema Operating or all bots
* – Setting User: Option to change password webpanel add user permissions, manager or just modding
* – Statistics: Displays total bots, bots online, Offline Bots, Bots concect.

We’ll continue monitoring the development of this emerging ecosystem trend, and post updates as soon as new developments emerge.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

2 thoughts on “New DIY HTTP-based botnet tool spotted in the wild

  1. Pingback: Botnet Operation for Dummies | Threatpost

  2. Pingback: Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s