Author Topic: Fireeye:Cimbot - A technical analysis  (Read 6098 times)

0 Members and 1 Guest are viewing this topic.

March 16, 2009, 08:56:41 pm
Read 6098 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
http://blog.fireeye.com/research/2009/03/cimbot---a-technical-analysis.html

Quote
I was recently sent a .pcap file of a bot's C&C communications. Every 182 seconds, the bot would download a GIF file from "vazasaki-ji.info" (91.211.65.180 as of Mar 11, 2009). These GIF files however are not "well-formed" that is to say, it's a "GIF89a" header, followed by a lot of random gibberish.

At last! Something interesting and clever (this will make a good blog post). I've been wondering why it took so long for the bot authors to try to hide their communications steganographically (albeit poorly in this case).
Ruining the bad guy's day

March 17, 2009, 12:19:44 pm
Reply #1

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
Quote
...
hxxp://lecoquin.net/pages/index.php?refid=ec0lag
hxxp://www.paidclickings.com/default.asp?id=ec0lag
hxxp://uniqwork.com/rjoin.asp?id=ec0lag
hxxp://www.lionclix.com/index.php?ref=ec0lag
hxxp://www.megacashclicks.net/index.php?ref=ec0lag
hxxp://www.birthdayclubptc.com/?r=ec0lag
...
and a lot of "ec0lag"s
ec0lag
I found some info about his attacks here "http://www.weblancer.net/projects/10408.html", here "http://linux.derkeiler.com/Mailing-Lists/Kernel/2006-08/msg09431.html" and in some malware (ex Backdoor.Win32.Rukap). All info has date of 2006.
Who is it i still don't know, no info on x forums. A lonely hacker? 8)
PS. Here is some info about his activity http://www.kaspersky.com/viruswatchlite?search_virus=Backdoor.Win32.Rukap&x=0&y=0