Saturday 11 August 2012

Citadel

Found on a server who hosted Dorifel (http://www.securelist.com/en/blog?weblogid=208193776)
4 Differents Citadel kits targetting Netherlands, here is one of them:
8 397 976 reports, 48 033 bots.. not bad.

Login:

Summary:

Setup:

Cron:


OS:

Installed Software:


2/5:

 3/5:

4/5:

5/5:

Firewall:

2/3:


3/3:

Antivirus:

2/5:

3/5:

4/5:

5/5:

Bots:



Full infs:

Script:


VNC:

Context menu:

VNC Infs:

VNC Config:

Account parser:

URL rules:

Search in database:

Search in files:

Botnets name:

CMD Parser:

View videos:

Jabber notifier:

Information:

Options:

User:

Users:

Edit user:

Note:

Crypt EXE:


The second panel (hosted on the same server) is bigger
With 64 596 Bots and 17 887 287 reports, This one have the interface in Russian.


Malware execute task:
• dns: 1 ›› ip: 184.82.162.163 - adresse: XERTGFD.RU (this 'server')
I says server with quote because it's very probable that these IP are just used as proxies.
If police takes that server, they won't have datas, only nginx/apache logs and probably server is not saving these logs, imho the backend server is elsewhere.

And surprise... yeah you guess it it's another Citadel:
 994 Bots and 66 188 reports

And... yes it's a 4nd Citadel hosted on the same shit !
But this one is still on heavy brute force.
So for the moment: 113k Bots and 26351k reports in one ip... someone have better ?

Also for those who sent me their Citadel builders and who ask for cracks, let's make things clear:
The builder takes some information about your machine (some specifics params) and use these params to make a hash, this hash is used to decode the bot template inside the binary of builder.
So i need a valid hash from a costumer, because every builder has the bot template encrypted with different hash value.
it's impossible (for me) to crack it without having a good hash key.



2 comments:

  1. What tool you use to brute force web panel ?

    ReplyDelete
  2. builder dont work

    ReplyDelete