Wednesday, 15 April 2015

Betabot retrospective

Some of you know Betabot.. if you don't: http://www.ic3.gov/media/2013/130918.aspx

1.0.2.5 panel:
Dashboard:

extended information:

Search options:

Tasks:

Remove bot:

Terminate bot till next reboot:

Botkill:
Socks4:
Set browser homepage:

Visit URL option:

Update bot option:
Download file option:
DDoS cmd option:

Formgrabber logs:

logins:

users:

Settings:
IP blacklist:


List of dns recod to modify:


Help:

1.5.0.0:

Tasks:

Statistics:

Files:

Users notice:

AV Checker:

1.7.0.1:

The botmaster was running a support site at the url betabot.ru that i've monitored since... i don't know almost the begining till the end.
I've really collected a lot of datas and was constantly flagging new C&C urls even before they was active.


Inquiries sent to the betabot team (before they started the support forum):

Site structure:

Some clients kits:

Finally some people got busted using these informations..
If you want an example.. 'Spit Fyre' ex super moderator at Trojanforge who reside in the same country as me.
If you wonder why he disappeared you know why now.

Spit Fyre requesting an admin of Hackyard to delete his account after he got cops at door:

Some of his domains:
• dns: 1 ›› ip: 124.248.205.104 - adress: DARKNESS.SU
• dns: 1 ›› ip: 124.248.205.104 - adress: WEED.SU
• dns: 1 ›› ip: 124.248.205.104 - adress: MEZIAMUSSUCEMAQUEUE.SU
• dns: 1 ›› ip: 124.248.205.104 - adress: UMBXD15896.SU
• dns: 1 ›› ip: 124.248.205.135 - adress: STYXB1TCH35.SU
• dns: 1 ›› ip: 124.248.205.135 - adress: J1NXFYR3.SU

Anyway it's useless to talk about him and others betabot clients who had visits, the current status of betabot is stalled now and someone even made a builder for the 1.7.0.1 version.
Betabot was a creative malware, plagued by bugs though.

5 comments:

  1. new encode for betabot 1.8 hoping this shit in public soon :)

    ReplyDelete
  2. Mate ... post something , you were among the most interesting ones to read and there's nothing for me to do in the subway. Leave all that "we mustn't open their eyes " aside cause they're getting better at it. Going public and alerting everyone was always the thing ... you're making they're biz go on if you hide what they are doing.

    ReplyDelete
  3. Thanks for sharing Amazing information about the threat.

    ReplyDelete
  4. can you share collected datas for study ?

    ReplyDelete