MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


TRIAD Botnet. Remote administration of Linux zombies

The ability to manage botnets through http protocol appears to be a fundamental requirement for the developers of these web applications that work actively with the current crimeware.

In this sense, another alternative is called TRiAD Botnet Control System, a remote control system for Linux platforms. While this web application has a life span still too early (his first release dated 18 February 2009), and three versions are available with each possessing some interesting differences.

But making a break for the moment on the technical aspects that has TRiAD botnet, one of the most striking factors that particularly presents this application (and in general his style) is made up of showy design, where the thought that lurks behind it would seem to mark the "style" of the author.

Even the same approach appears to be present also in more sophisticated crimeware applications in terms of features and options proposed, that the above. Case ZeuS for example.

Moreover, another feature that is perceived in the current development of crimeware of this style is the greater emphasis on optimizing the processes involved in the implementation of botnets, zombies control and administration. Where, without losing that first raised feature (design) of the application makes more "friendly" also presents simplicity with a minimalist style.

But either way in terms of design, in the types of features they have or the cost of purchase, botnets and the army of zombie computers that have botmaster under his command are a potential danger and a heart attack via web difficult to stop at this time.

In this case, it's the first version of a family of web applications, TRiAD Botnet (written in C), designed as botnets control systems that has an older brother named Hybrid, with the particularity of being designed to control zombies in Linux distributions.

Although this version of TRiAD runs only on Linux, its later versions are multi-platform (Linux and Windows). Lets run only three basic functions of any botnet management: implementation of DDoS attacks, executing a shell and opening ports (BindShell), and notice the connection of a zombie (ReverseShell).

From a structural standpoint, the magnitude of attack Distributed Denial of Service is concentrated in a file called dos.php whose information is stored in the file dos.txt.

if ($action){
$file = fopen("dos.txt","w+"); fwrite($file,$cmd); fseek($file,0); $line = fread($file,100);echo "Command:

With respect to the BindShell through six commands only set you need to run a shell and leave a door open for botmaster available. These commands are displayed in the screenshot that represents the module in question, which takes information from the file cmd.php reflecting the result in cmd.txt.

if ($action){
$file = fopen("cmd.txt","w+"); fwrite($file,$cmd); fseek($file,0); $line = fread($file,100); echo "Command:

0 fclose($file);

The module ReverseShell reports every time a zombie is recruited and each time you establish your Internet connection. This information is stored on a small table showing number of active zombies, host IP address under attack and the command executed.

$machines = new Online(); if ($machines->count() == 1) {
echo "--> " . $machines->count() . " bot ";
} else {

echo "--> " . $machines->count() . " bots ";

$ddos = fopen("dos.txt","r"); $line = fread($ddos,100);
echo "


$plik = fopen("cmd.txt","r"); $linia = fread($plik,100);
echo "


Botnets are a serious problem for the security of any information environment connected to the Internet and the development of crimeware applications is increasingly high. Even in this case where the source code is free, there is a problem: any person with the knowledge necessary to manipulate the code and adapt/add functionality to the botnet.

Still, although the development of crimeware not represent a deal for the creators of these applications, it does work in an industry with malicious objectives by expanding the range of alternatives designed to thicken other related businesses.  

Related information this Blog
Especial!! ZeuS Botnet for Dummies
ElFiesta. Reclutamiento zombi a través de múltiples amenazas
Mirando de cerca la estructura de Unique Sploits Pack
Adrenalin botnet. El crimeware ruso marca la tendencia
Chamaleon botnet. Administración y monitoreo de descargas
YES Exploit System. Otro crimeware made in Rusia
Barracuda Bot. Botnet activamente explotada
Unique Sploits Pack. Crimeware para automatizar la explotación...

Jorge Mieres

0 comentarios:

Post a Comment