The Healer new release

Version 1.2.0.0 is now available!

Added features: Persistent File Remover and FileAssasin.

Removed feature: Kaspersky Installer, since it is too heavy

Now there is only 1 version, since Kaspersky is removed.

 

Download here: https://www.dropbox.com/s/mwwt6womgdxujb6/The%20Healer%201.2.0.0.rar?dl=0

 

Inside the panel of the Andromeda Botnet

Recently, I have managed to obtain myself a stub of a still active Andromeda Botnet, and have sucessfully obtained access to the panel (Don’t ask how, even though when you are a botmaster you really should be getting a strong password xD). The botnet is hosted on a seemingly BulletProof server, and the Domain Registrar refused to sinkhole the domain name due to them ‘Not being able to monitor the traffic, as they are not the web host’. So I guess I can’t really sinkhole it except for killing the bots, and changing the encryption key and password to mess up the current progress by the botmaster.

Andromeda is a pretty old botnet from 2012, but is still commonly used. The botnet has a Rootkit, a Formgrabber, as well as a Socks Proxy plugin. But what I will be going in today is not the functionalities, but the interesting things about the stats of the botnets.

The compromised Andromeda Panel

The compromised Andromeda Panel

First of all, most of these bots are 32 bit, and not 64 bit. This clearly shows how the infection focused mostly on not so new machines, and probably not tech-savvy users. Windows 7 contains around 80% of the bots, and there are still Vista and XP bots. Also most of the bots are from third world countries such as Vietnam, Indonesia,… In fact, 1 third of the bots are from Vietnam.

stats by country

Interesting stats

You see, these countries are not rich countries, and therefore their cyber-defense and education budget is not really large. Parents here are generally not computer experts either, and therefore are easily tricked into installing malware on their system. Kids are not really educated about cyber security, so there is a high chance that search queries for game hacks will probably not end well.

There currently is only one task, and it is to download a file called XD.exe from the server. Closer looks will be taken at it in the next post. Good bye and see you again.

 

 

Getting your own host is better than using Direct Exe Hosting.

Direct Exe hosts are commonly used by malware as they allow a Downloader to work properly (I mean, if you used MediaFire, the HTML page will be downloaded, duh?). Despite getting blacklisted fairly fast, they are all still very popular as blacklist usually only affects the browser. However, what they DON’T know is that most Direct Exe hosts are highly vulnerable.

One fairly good example is NeverGreen.net

 

This direct Exe hosting is currently blacklisted by 18/68 AntiVirus engines on VirusTotal, and is advertised on HackForums. Despite the good design, the host is not really secure. All of the URLs are in the simple format of nevergreen.net/abc, where abc consists of 3 random numbers/letters. With 5 minutes of scripting, I made a scraper that would try to bruteforce the url, and obtained around 8 samples in a mere 3 minutes. The only problem was that Nevergreen does not remove files that are older than 1 month, therefore I am also getting samples that are as old as almost a year. File extension is another problem since some of the files might be .RAR, so I had to use ExeInfo PE to figure out what it is..

Another vulnerable host is AutoUpload.club. The full vulnerability is mentioned by L!NK in his video at https://www.youtube.com/watch?v=vQOidWoeOB8

Those are just the 2 direct exe hostings that I havve been looking at. So don’t rely on these hosts, since anyone can obtain your stub with ease.