• Total Posts: 28030
  • Total Topics: 8051
  • Online Today: 738
  • Online Ever: 51419
  • (01. January 2010., 09:27:49)

Author Topic: Pastebin Shares Botnet Source Code  (Read 1380 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 710
  • KARMA: 114
  • Gender: Male
  • Pez
Pastebin Shares Botnet Source Code
« on: 08. May 2012., 08:25:36 »

Pastebin Shares Botnet Source Code

Few days back, we found another Pastebin entry that contains a source which looks to be malicious botnet code. As I wrote in my earlier blog, malware authors also use Pastebin to trade botnet kits. Many times, snippets of a botnet help researchers understand the workings of the botnet and write detections for it.

The code posted was fairly simple to understand, appearing fully tested and complete. The code provides insights to the coding skills and techniques used by the botnet author. This bot uses fairly standard installation, copying itself into the Windows\System32\ folder and then sending and receiving commands from a hard-coded control server. The source contains two interesting antianalysis functions, which check for the presence of a sandbox or tools such as OllyDbg or Wireshark. If it detects countermeasures, the bot terminates its process. Below are the two functions used for antianalysis:

BOOL bIsSandbox (void)

•Check GetModuleFileNameA() for presence of string “sample” in the PATH
•Or Check GetUserNameA() for presence of string like “HfreAnzr” or “sandbox” or “currentuser” or “vmware” or “nepenthes”
•Or Check GetComputerNameA() for presence of string like “ComputerName” or “COMPUTERNAME”
•Or Check GetModuleHandle() for presence of DLL like “SbieDll.dll” or “api_log.dll” or “dbghelp.dll” or “dir_watch.dll”
•If anything matches, terminate the bot process


•Use FindWindowA() function to check for name “CommView”
•Or “TCPViewClass”
•Or “TCPView – Sysinternals:
•Or “gdkWindowToplevel”
•Or “CommView – The Team ZWT 2008”
•Or “The Wireshark Network Analyzer”
•Or “SysAnalyzer”
•If anything matches, terminate the bot process

Both of the preceding function help a bot to terminate its process from being analyzed by researchers. The bot sends OS version, Username, botID, and other information to its hard-coded control server in the ns/clients.php?os=%s&name=%s&id=%i&loc=%s format and waits for other commands.

This bot supports the following commands, among others:

install: Download and install another binary

uninstall: Clears registry entries and exit()

open: Open a specified file

update: Update to a new bot binary

qkill: Exit

Examining the code gives us a fair idea of the network communications of this botnet and helps researchers easily write detections. The availability of the source also helps us understand different techniques or methods used by the botnet authors. It’s no surprise that Pastebin has become a communications channel for bad guys–not only for selling botnets but also for sharing code snippets.

Orginal article: Monday, May 7, 2012 at 11:33am by Umesh Wanve
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -

Pastebin Shares Botnet Source Code
« on: 08. May 2012., 08:25:36 »


  • SCF Member
  • **
  • Posts: 61
  • KARMA: 6
  • Gender: Male
Re: Pastebin Shares Botnet Source Code
« Reply #1 on: 09. May 2012., 05:33:49 »


  • SCF VIP Member
  • *****
  • Posts: 39
  • KARMA: 7
  • Gender: Male
    • Blaze's Security Blog
Re: Pastebin Shares Botnet Source Code
« Reply #2 on: 11. May 2012., 13:14:19 »
Missed this one, thanks !
Feel free to follow me on Twitter: bartblaze

My weblog:


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising