Inside the panel of the Andromeda Botnet

Recently, I have managed to obtain myself a stub of a still active Andromeda Botnet, and have sucessfully obtained access to the panel (Don’t ask how, even though when you are a botmaster you really should be getting a strong password xD). The botnet is hosted on a seemingly BulletProof server, and the Domain Registrar refused to sinkhole the domain name due to them ‘Not being able to monitor the traffic, as they are not the web host’. So I guess I can’t really sinkhole it except for killing the bots, and changing the encryption key and password to mess up the current progress by the botmaster.

Andromeda is a pretty old botnet from 2012, but is still commonly used. The botnet has a Rootkit, a Formgrabber, as well as a Socks Proxy plugin. But what I will be going in today is not the functionalities, but the interesting things about the stats of the botnets.

The compromised Andromeda Panel

The compromised Andromeda Panel

First of all, most of these bots are 32 bit, and not 64 bit. This clearly shows how the infection focused mostly on not so new machines, and probably not tech-savvy users. Windows 7 contains around 80% of the bots, and there are still Vista and XP bots. Also most of the bots are from third world countries such as Vietnam, Indonesia,… In fact, 1 third of the bots are from Vietnam.

stats by country

Interesting stats

You see, these countries are not rich countries, and therefore their cyber-defense and education budget is not really large. Parents here are generally not computer experts either, and therefore are easily tricked into installing malware on their system. Kids are not really educated about cyber security, so there is a high chance that search queries for game hacks will probably not end well.

There currently is only one task, and it is to download a file called XD.exe from the server. Closer looks will be taken at it in the next post. Good bye and see you again.



Giang Nguyen

Blogger, Security geek, and Tech Nerd. Send me your malware, I will dissect them.


Leave a Reply

Your email address will not be published. Required fields are marked *