Tuesday, 27 December 2011

Herpes botnet



I've received an email recently (from Alexander Rasch) requesting me to have a look on 'Herpes' a sort of affiliate, you just have to register on the site and you can start to infect immediately (C&C and EXE ready after the registration)

Herpes sample on VirusTotal (13/43 >> 30.2%):
http://www.virustotal.com/file-scan/report.html?id=15a2963ee5bdbc3562e69dfc703fe1895e42a301f639d62f29c8ea7686830616-1324944831

Advert:

Login:

Statistics:

Clients:

Task:

User:

About:

Call home:

Each 5secs:



A task was sent ? looking for the good:

ID| - Create a key 'id' at HKCU\Software\HSetting
DL| - Download
VI| - Visite webpage invisible
VV| - Visite webpage visible
UP| - Update
UN| - Unistall
EL| - Email Log (No feature inside the bot)
ES| - Email Screenshot (No feature inside the bot)

But don't forget: this service come from HF (mean there is a faggotry obligatorily somewhere)



cookie stealer fuckyeah.
This is not the first time i see Herpes:

The following dir was found (i've not searched alot):
• dns: 1 ›› ip: 209.190.61.26 - adresse: ZEROXCODE.NET
http://www.zeroxcode.net/herpnet/inc/js/
http://www.zeroxcode.net/herpnet/css/
http://www.zeroxcode.net/herpnet/img/months/
http://www.zeroxcode.net/herpnet/flags/

Edit: About HackForum, a wild scamer appeared !

 The "proof":

Well, this is a edited picture from one of my blackhole screenshots (109.236.81.244)
Nice try anyway.
Posted by at 00:54
Labels: , ,

9 comments:

  1. virusnews27 December 2011 at 04:43

    The virustotal link seems wrong. Can you post the right one please or give the MD5?

    ReplyDelete
  2. Steven K27 December 2011 at 09:24

    try to look on VT for: 91A3544D7792FFD092BABC9F83DFE731

    ReplyDelete
  3. Serj96027 December 2011 at 09:28

    Nice post.

    ReplyDelete
  4. QNX_Mind27 December 2011 at 14:34

    Hahaha!, very buggy botnet console!!!, thanks Xylitol!!, check your address bar in the browser of the france bot!.

    ReplyDelete
  5. Anonymous27 December 2011 at 18:01

    hackforums.net? ftw

    ReplyDelete
  6. Anonymous28 December 2011 at 15:12

    all > hackforums.net > Void error

    ReplyDelete
  7. Anonymous29 December 2011 at 09:40

    One of my favorite blogs evaaaaaar!!!
    Greetz from Israel!

    ReplyDelete
  8. Anonymous30 December 2011 at 09:51

    bro,
    you kill the bots?
    is not even crypted, i found this yesterday binded whit some program, first time when i hear about herpes, after a google search i landed here
    nice analysis.

    ReplyDelete
  9. Unknown19 May 2012 at 22:59

    Hi and thanks to this article Xylitol
    Can I post here the link of my analysis? Thanks a lot
    HerpesNet: from a .exe to Franciso Pompo -----> http://toolzware.com/theblog/en/herpesnet-botnet-1-7/

    ReplyDelete

Subscribe to: Post Comments (Atom)