Confident that he was communicating with fellow hackers, the botnet operator got into a conversation with the researchers.
The CyberNews portal specialists penetrated the infrastructure of the IRC botnet and were even able to communicate with its operator. However, when they asked the cybercriminal for an official interview, he cut off contact with them. On October 26 this year, the researchers transmitted all the data they received to the CERT specialists in Vietnam, where the botnet’s C&C server is located. The Vietnamese CERT is currently working to eliminate the botnet.
For their research, the CyberNews team selected one of four botnets caught in their Cowrie honeypot in September this year. By communicating with its operator, the researchers tried to find out what the botnet is used for and whether its operators are involved in other cybercriminal activities.
The researchers’ honeypot got a malicious file containing a Perl script for executing remote commands on the target system. As the analysis of the malware showed, it was created in 2012 by the now defunct hacker group w0rmer Security Team, allegedly associated with the Anonymous movement. Researchers are interested in the malware because it is designed to add infected systems to an IRC botnet. The once popular IRC botnets are now very rare and relatively easy to disable.
As the code analysis showed, the malware is capable of carrying out DDoS attacks via UDP, TCP, HTTP and other protocols. The researchers also managed to identify the IP address and port number of the C&C server, the alias of the botnet operator, and the IRC channel used to control the bots.
In total, the botnet consists of 137 compromised systems (the maximum number of bots was 241). In other words, the IRC botnet is small and, in all likelihood, can only be used to carry out small DDoS attacks or other malicious activities on a small scale.
While communicating with the operator via Discord, the researchers found out that the botnet is used by him for DDoS attacks, as well as for “testing”, “backdoors” and “money”. Apparently, with its help, the cybercriminal tested malware and experimented with the introduction and deployment of various exploits on compromised systems.
Confident that he was communicating with fellow cybercriminals, the operator began to brag about the fact that at one time he controlled an IoT botnet of 100 thousand devices, with which he could carry out large-scale DDoS attacks. According to him, it was he who carried out the sensational attack on the DNS provider Dyn in 2016, due to which many sites in the US and Europe were unavailable, including Twitter, Reddit, Netflix and CNN. True, the cybercriminal did not provide any evidence.
When asked about his current activities, the botnet operator replied that he was assembling a network of compromised devices and intends to sell them for $ 3,000. The cybercriminal even sent a commercial, and researchers found additional videos on YouTube advertising his botnets. However, after learning who he was actually talking to, the cybercriminal stopped answering researchers’ questions.