MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

30.3.10

Strike Botnet, another crimeware was born

As the Author says "Strike botnet is a new advanced http based botnet with which you can literally control thousands of computers at the same time, without them even noticing."

The gradual increment in botnet developing is intresting, and this time "SqUeEzEr" (Scott Van Dinter, a Young boy of 18 years old, as some of his online profiles say) comes into the scene with a botnet developed in VB6, with some inline ASM in it.

The botnet works under Ring3, something that makes the detection process easier. It was tested under Windows XP, Windows Vista and Windows 7.

Source-Code Preview. As we can see, the botnet is developed under VB6. In the Module "InitializeEngine" we can see a Function with Inline-Asm. Some of it’s functions are:

ActiveX Startup. An already well-known startup method.

Advanced Anti-Checking. -Different threads with continuous checks. 10 different methods

Attacking. As every botnet that serves to its purposes, it has a DDOS system that Works with TCP Connections and runs in the background.

Firewall Bypass. Add's itsself to the windows firewall. Unhooks ring3 firewall hooks

Process Protection. An advanced protection system will keep the process from being closed

File Protection. Strike is protected from deletion, even if the process is not running. Can't even be deleted by Rootkit Unhooker

Serial Stealing. Strike can steal the windows serial code, and more than other 200 serials.

Sockets. Strike uses API sockets to connect with the web interface (That means that it doesn’t use the well-known Winsock). It also uses the http protocol to bypass firewalls.

Spreading. Strike has the ability to spread itsself into every compressed folder (zip/rar) on the infected computer.

MSN Passwords. Strike is able to steal stored MSN passwords.

Internet Explorer. Strike is also able to steal Internet Explorer passwords.

Update. A very interesting feature, with this function Strike is also able to download a newer version and update itself.

Standard Functions
  • Exit, you can terminate strike with this command
  • Melt, Strike can be fully removed from a computer (It doesn’t match with the "common" definition of “Melting”)
  • Bsod, Strike can trigger a Blue Screen of Death
  • Kill, Strike can delete files on the computer
  • Exec, Execute files on the victims computer
  • Down, Strike can download files from the web by using the HTTP protocol and can then execute them
All these functions are called dynamical and are unhooked before being called Strike has also a builder which uses no EOF and is able to detect if strike is installed on your system.

At last, Strike is FUD (Fully Undetectable) at compile-time (so, it doesn’t use crypting). The autor says that a video demonstration will be probably up within one week.

Mariano Miguel
Malware Researcher en MalwareIntelligence

11 comentarios:

Anonymous said...

can't believe you actually spent time analysing a little kiddie tool coded in Visual Basic, shame on you.

Anonymous said...

"Update - a very interesting feature' i suppose you never took a look at 1 of the 1000's of old IRC Botnets from 1950 (rXBot, etc..) that also have this 'interesting feature'

regards

Anonymous said...

what is your nickname on opensc?

SqUeEzEr said...

+Update
-Strike is also able to download a newer version and update itself

That's how I stated it. And VB6 is not a kiddie language, but offcourse you never took a look at Strike for real or at Blaze Botnet. Shame on you anonymous

NOP said...

It is really.

Anonymous said...

VB6 is a kiddie language. Squeezer, come with the big boys and learn C/C++/ASM
Fucking noob.

Anonymous said...

LOL

Anonymous said...

Strike botnet leaked
http://www.mediafire.com/?jlmeygj2jv2

found on HF.

Some 1 scan please.

all i know is, its missing a sql file.

Anonymous said...

It's not missing an sql file, the database is created using the web interface..

hackbridges said...

squeezer is an 18yr old boy just like me who can code very dangerous tools using vB. As old as you are what can you code?? Can you please show us one of your works.
I am not even sure if you can compile a bot even with a tutorial to guide you. :p

Anonymous said...

mejor pon el enlase de descarga del ddos botnet ruso es muy dificil de encontrar :)

Post a Comment