- See The Difference
- What is Zero Trust The strategy on which Zscaler was built
- How Zscaler Delivers Zero Trust A platform that enforces policy based on context
- Zero Trust Resources Learn its principles, benefits, strategies
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Customer Success Stories Hear first-hand transformation stories
- Analyst Recognition Industry experts weigh in on Zscaler
- See the Zscaler Cloud in Action Traffic processed, malware blocked, and more
- Experience the Difference Get started with zero trust
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Products & Solutions
- Secure Your Users Provide users with seamless, secure, reliable access to applications and data. Secure Your Workloads Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Secure Your OT and IoT Provide zero trust connectivity for OT and IoT devices and secure remote access to OT systems.
- Products Transform your organization with 100% cloud-native services
- Solutions Propel your business with zero trust solutions that secure and connect your resources
![Zscaler workplace enablement]( "Zscaler workplace enablement")
Make hybrid work possibleGet StartedSecure work from anywhere, protect data, and deliver the best experience possible for users
- Industries Our ecosystem of zero trust partners
- Partner Integrations Simplified deployment and management
![Zscaler industry partners]( "Zscaler industry partners")
Secure your ServiceNow DeploymentGet StartedIt’s time to protect your ServiceNow data better and respond to security incidents quicker
- Platform
- Platform Overview Unified platform for transformation
- Capabilities Integrated services, infinitely scalable
![Zscaler transformation]( "Zscaler transformation")
Accelerate your transformationLearn MoreProtect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives
![Gartner Report]( "Gartner Report")
Gartner Magic Quadrant LeaderRead ReportZscaler: A Leader in the Gartner® Magic Quadrant™ for Security Service Edge (SSE) New Positioned Highest in the Ability to Execute
- Resources
- Content Library Explore topics that will inform your journey
- Blog Perspectives from technology and transformation leaders
- Security Assessment Toolkit Analyze your environment to see where you could be exposed
- Webinars and Demos A first-hand look into important topics
- Executive Insights App Security insights at your fingertips
- Ransomware ROI Calculator Assess the ROI of ransomware risk reduction
- Training and Certifications Engaging learning experiences, live training, and certifications
- Customer Success Center Quickly connect to resources to accelerate your transformation
- Customer Success Stories Hear first-hand transformation stories
![Customer success center]( "Customer success center")
- Security & Threat Analytics Threat dashboards, cloud activity, IoT, and more
- Security Advisories News about security events and protections
- Vulnerability Disclosure Program Webinars, training, demos, and more
- Trust Portal Zscaler cloud status and advisories
![Zscaler resources]( "Zscaler resources")
- Company
- About Zscaler How it began, where it’s going
- Leadership Meet our management team
- Investor Relations News, stock information, and quarterly reports
- Compliance Our adherence to rigorous standards
- ESG Our Environmental, Social, and Governance approach
- Events Upcoming opportunities to meet with Zscaler
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Media Center News, blogs, events, photos, logos, and other brand assets
- News and Press Zscaler in the news
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Partner Portal Tools and resources for Zscaler partners
- Summit Partner Program Collaborating to ensure customer success
- System Integrators Helping joint customers become cloud-first companies
- Service Providers Delivering an integrated platform of services
- Technology Deep integrations simplify cloud migration
- Partner Inquiry Become a Zscaler partner
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
-
Insights and Research
IRC Botnets Alive, Effective & Evolving
Introduction
An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel. It usually involves a Botnet operator controlling the IRC bots through a previously configured IRC server & channel. The Botnet operator, after appropriate checks, periodically moves the IRC bot to a new IRC channel to thwart researchers & automated sandboxes from monitoring the commands.
In this blog, we will look at one of the most prevalent IRC based malware families - DorkBot, followed by three additional IRC Botnet families - RageBot, Phorpiex, and IRCBot.HI.
In our telemetry data from last 3 months we have seen following URL serving the DorkBot installer:
api1[.]wipmania[.]com[.]wipmsc[.]ru/api1[.]gif (Check APPENDIX section for additional info.)
The malware executable checks for two command line arguments
- "-aav_start" - It terminates
- "–shell" - It starts the infection cycle, creates a registry key "Windows Update" to ensure persistence, and creates a mutex named “Windows_Shared_Mutex_231_c000900” to ensure only one copy of Dorkbot is running
If no command line argument is provided, it starts injecting threads into other processes without performing the above mentioned actions.
It first injects a thread into svchost.exe and performs the following actions:
- Copy itself as "%APPDATA% \Update\Explorer.exe" on the infected system.
- Creates a Run registry key with the name of "Windows Explorer Manager" for the dropped executable copy.
- It creates a thread that monitors the Run key created in step 2 & recreates it if missing, every 10,000 seconds.
- It also creates a thread that copies the file created in step 1 to file name “\c731200” in the "%APPDATA%” folder.
- It then creates a remote thread in mspaint.exe that tries to resolve a predetermined list of domains as shown in image below:
 |
| DorkBot - Hardcoded Domains |
The main Dorkbot binary (MD5-E7E48AD1A2A57CC94B56965AA8B476DA) was found embedded in the resource section which is extracted and executed at runtime.
 |
| DorkBot - memory strings |
It also creates a remote thread in the “calc.exe” process that performs the following actions:
- Creates a mutex with the name “c731200”
- Checks for Internet connectivity using API InternetCheckConnection with www.google.com as the URL.
- It then tries to download files from 20 different URLs and saves the downloaded file with random file names in the %Temp% folder. File names are shown in the screenshot below:
 |
| DorkBot- Random file names |
All the URLs are hardcoded in the DorkBot and are encrypted via a custom encryption method.
 |
| DorkBot - Encrypted URLs |
 |
| DorkBot - Pseudocode of decryption function |
Below is the full list of URLs from from where it tries to download additional malware:
| URL |
|---|
| http://api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| http://api2[.]wipmania[.]com[.]wipmsc[.]ru/api2.gif |
| http://api3[.]wipmania[.]com[.]wipmsc[.]ru/api3.gif |
| http://api4[.]wipmania[.]com[.]wipmsc[.]ru/api4.gif |
| http://api5[.]wipmania[.]com[.]wipmsc[.]ru/api5.gif |
| http://api6[.]wipmania[.]com[.]wipmsc[.]ru/api6.gif |
| http://api7[.]wipmania[.]com[.]wipmsc[.]ru/api7.gif |
| http://api8[.]wipmania[.]com[.]wipmsc[.]ru/api8.gif |
| http://api9[.]wipmania[.]com[.]wipmsc[.]ru/api9.gif |
| http://api[.]wipmania[.]com[.]fowd[.]ru/api.gif |
| http://api[.]wipmania[.]com[.]selfmg[.]ru/api.gif |
| http://api[.]wipmania[.]com[.]lotus5[.]ru/api.gif |
| http://api[.]wipmania[.]com[.]wipmania[.]ru/lkwaxd.gif |
| http://api[.]wipmania[.]com[.]lotys[.]ru/vjojai.gif |
| http://api[.]wipmania[.]com[.]bwats[.]ru/ofjtme.gif |
| http://api[.]wipmania[.]com[.]stcus[.]ru/apsphv.gif |
| http://api[.]wipmania[.]com[.]cmoen[.]ru/zkmchm.gif |
| http://api[.]wipmania[.]com[.]artbcon3[.]ru/frflec.gif |
| http://api[.]wipmania[.]com[.]yeloto[.]ru/zwfmwd.gif |
| http://update[.]wipmania[.]com[.]raulhost[.]ru/logo.gif |
DorkBot
Dorkbot represents a family of information stealing worms that uses IRC based Command & Control (C&C) server communication. Dorkbot is also known as ngrBot due to it's similar feature set. It is one of the most powerful IRC based botnets that generates revenue for the botnet operator via the following features:
- Capable of spreading via chat messengers, USB drives, & social networking sites
- Supports multiple Distributed Denial of Service (DDoS) attack types
- Capable of stealing login credentials for multiple HTTP and FTP sites
- Blocks security update related websites to evade detection
- Capable of downloading, installing and uninstalling other malware payloads
RageBot, Phorpiex, and IRCBot.HI Analysis –
From our 3 months telemetry data, we have seen the following URLs serving these IRC bots–
|
URL
|
MD5
|
Malware Name
|
|---|---|---|
|
Ernsthaft[.]su/ert[.]exe
|
6C738D0A737D16C87EB40C24C5F594A6
|
IRCBot.HI
|
|
Mslighton[.]net/uploads/io[.]exe
|
C73DBA5827728EEAC59951B14AB329F4
|
RageBot
|
|
Colorfashionbox[.]com/u[.]exe
|
F919C902AC07AF339BBD753E6EFF89C7
|
Phorpiex
|
|
Dumanfun[.]com/t[.]exe
|
DBC477DF90D4ECB37B698C571DE90D11
|
Phorpiex
|
In addition to IRC based C&C communication, all these bots have following similarity in their operation:
1. Checks execution environment - Virtual Environment, Honeypot or Sandbox
 |
| RageBot - Check via Username |
 |
| Phorpiex - Check via DLL name |
 |
| IRCBot.HI - Check via DLL & Product IDs |
It is important to note that IRCBot.HI checks the ProductID value from the registry against multiple hardcoded ProductID values. It terminates execution if any of them matches. We believe that these hardcoded ProductIDs were harvested from various online public sandboxes.
2. Creates Mutex
RageBot – It creates a mutex with name “ie”
 |
| RageBot - Mutex |
Phorpiex – It creates a mutex with name “t2”, We have also seen some Phorpiex samples which were creating mutexes with name “t3” and “t4”.
 |
| Phorpiex - Mutex |
IRCBot.HI – During installation it creates a mutex with the name MAIN_<RandomNumber>. When it runs from the installation path, it creates a mutex with the name BACKUP_<RandomNumber>
 |
| IRCBot.HI - Mutex |
3. Installation
RageBot- It installs itself in “%ProgramFiles%\Common Files\System” or “C:\DOCUME~1\” directory. The malware uses ragebot.exe as file name for the dropped file.
 |
| RageBot – Building installation path |
If it is not able to create the file at the above mentioned locations then it tries to install itself in “C:\RECYCLER” directory.
Phorpiex – It installs itself into %WINDIR% , %USERPROFILE% , %APPDATA% and %TEMP% locations by creating a folder “M-50504578520758924620” containing a file named winmgr.exe.
 |
| Phorpiex – Pseudocode of Installations function |
It then deletes itself after installation by running a batch file dropped in the %TEMP% folder.
IRCBot.HI – During our analysis it installed itself into %WINDIR% and %USERPROFILE%. In %WINDIR%, it creates a folder named 1756410959 and drops copy of itself as lsass.exe. In %USERPROFILE%, it drops copy of itself as ctfmon.exe.
 |
| IRCBot.HI – Installing in different locations |
4. Adding autostart feature using Run registry key.
RageBot – Creates Run Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Windows Update”
Phorpiex – Creates Run Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Microsoft Windows Manager”
IRCBot.HI – Creates Run Once Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce and key name as – “*<RandomNumber>”
 |
| IRCBot.Hi – RunOnce Entry |
5. Adding itself to Windows Firewall trusted application list
All these bots add themselves to the Windows Firewall’s exception list by modifying the key
"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List"
6. Propagation method
RageBot –
- It copies itself to the following P2P & Instant messenger application folders for spreading
- \Program Files\LimeWire\Shared
- \Program Files\eDonkey2000\incoming
- \Program Files\KAZAA
- \Program Files\Morpheus\My Shared Folder\
- \Program Files\BearShare\Shared\
- \Program Files\ICQ\Shared Files\
- \Program Files\Grokster\My Grokster\
- \My Downloads\
- It also searches for RAR files and copies itself inside them.
Phorpiex –
A. Creates a shortcut in a removable device
B. Creates an autorun.inf file in removable devices to autorun the malicious file
Below is a sample of the C&C communication for this bot:
A. Creates a shortcut in a removable device
- It checks for all removable devices
- Copies itself with a different name
- Creates a shortcut to an already present folder and sets the path of a shortcut to run the malicious file
- Hides the malicious file and folder by setting a hidden attribute for both
 |
| Phorpiex - Creating Shortcuts |
B. Creates an autorun.inf file in removable devices to autorun the malicious file
- Checks for all removable devices.
- Copies itself with a name of windrv.exe
- Creates an autorun.inf file to autorun the malicious file
 |
| Phorpiex - Creating autorun.inf file |
IRCBot.HI -
We identified strings related to Skype in memory during our analysis that would suggest this bot is capable of spreading via Skype.
 |
| IRCBot.HI - Skype inject related string |
7. IRC based Command & Control communication
All these bots use the IRC protocol for C&C communication. Bots perform different actions based on the commands received from the remote C&C server.
RageBot – During our analysis, this RageBot sample was trying to connect to vnc.e-qacs[.]com on port 6668. Upon successful connection, the following initial communication was observed:
 |
| RageBot - C&C Communication |
You can find full list of C&C commands in the appendix section.
Phorpiex – It tries to connect to trksrv[.]su on port 5050. Some other IRC servers it tries to connect to are - trik[.]su , srv50[.]ru and trkbox[.]ru. Upon successful connection, it sends the following IRC commands:
NICK `|USA|hihdlxu
USER x "" "x" :x
Some other commands:
001 -> Sends JOIN #b message to server
PING -> Checks status
.j <channel name> - > Join given channel
bye -> Uninstall bot
 |
| Phorpiex - C&C Communication |
IRCBot.HI - It tries to connect to irc[.]ernsthaft[.]su or irc[.]ded-rrwqwzjzjris[.]com on port 6667.
Upon successful connection, it sends the following IRC commands:
PASS ddos
USER <8 char string> <1 digit number> * :<8 char string>
NICK n[USA|A|D|<OS_NAME><OS_TYPE>|1c]<8 char string>
JOIN #PlanB
Below is a sample of the C&C communication for this bot:
 |
| IRCBot.HI - C&C Communication |
Conclusion
In this era of sophisticated Botnets with multiple C&C communication channels, custom protocols, and encrypted communication; we continue to see a steady number of new IRC based Botnet payloads being pushed out in the wild on a regular basis. As we saw in our analysis, IRC based Botnet families continue to evolve in terms of sophisticated features incorporated in the bots.
ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.
Appendix
DorkBot installer URLs and MD5
RageBot Commands
Analysis by: Amandeep Kumar, Avinash Kumar, Nirmal Singh & Deepen Desai
In this era of sophisticated Botnets with multiple C&C communication channels, custom protocols, and encrypted communication; we continue to see a steady number of new IRC based Botnet payloads being pushed out in the wild on a regular basis. As we saw in our analysis, IRC based Botnet families continue to evolve in terms of sophisticated features incorporated in the bots.
ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.
Appendix
DorkBot installer URLs and MD5
| TIME | MD5 | URL |
| Jan-15 | E49B3EF80FF4DB4DB1D5220930EC7DAD | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | CC9D72663D2495779B0C81AEE34592E7 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | A98472BCAA010433A80410C3483C90E1 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | EEFC72EFFD96FFD11EC2D69CD6248AC5 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 4E7149C1401F5A0BC34E3AAD6070F4BE | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 5B14C029570F40BDDC73669FE4EFEFB0 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 4C54D366B04F9980F038CB6FC62603D0 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 6E4282023D6A19B27C30DB5D54CEE32C | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | E7B61B2BE23167965079468DF36497EF | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | DC8CBA3F91A34F0D1EFA79BE4495B305 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 8AAD291926335F28B4402830252556F7 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 8036A36C372602CFA049996B9F5BD6AE | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 8036A36C372602CFA049996B9F5BD6AE | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 7257FD6F90B5AA9BB249EA74B764A401 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | B186525826856E881E879C6C44BB2452 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 220188F1BD2E10BA0751383EA0946DBA | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 2DB9BD0ABD99F3285721D358A6816737 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | EBEB072B8336F5FD35328227A60B271C | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 01303BEFE5938C3C748C4E058A8A6AE9 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 82E2CA09BDEB3ABF8B70D848F66793E7 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 0B2E7AE8DF2ADA1E86A3A25FC248C6FE | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 430560EBD3BE6A680BFA6409F332585B | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | F79AF05D9B43F99EB6FC64DA2C129F67 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 384252746FAFF8D264E6A8CA450B6301 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | C9636239ED698834CABA78E1F9F8DB0F | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 9C42746376CC7D265D6BF554B960EDE2 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 67B08BF0F2C89DE4E0D1C36BAF7193B9 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 735B6602B4BD1D71246F43642D6873AA | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 7D9AF61AE962443D586BFC8A86100B5F | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 05ABC48A4BEE624D7952954CF14F699D | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | FF638ACA7D8D10ED8AD2DE1BC333123D | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | AA4085182E8F10FEC8EBC3F6D3612321 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 1A54593E7C82DD1B16B7626FCB211DA1 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 235E67A88907DA68BFBB9264A00A31E3 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 2CBD9428DEE885C30258BF0C38299138 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | CCDC5EC2085536160813658BE549F0B6 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | CBD732F87901EE03820DBA41D0D2895A | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | BE5E43F2786D628B7AA8689C2108247D | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 5AEC4A3B3E0AEB3B13B98086FC81D797 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 6034814DB1C25A092C39F251F29B2216 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 6CAE0B51E5EAD86EEA47C4068287650A | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 451E324D3CB601E00FA041D6FDE1C4EC | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 9AEB3A097F11887D89EC08D337814B6B | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 8F9F97232DBE283BC5E7B6AB4DD580B8 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | F57A08679380F3FDFD369528FE5CE854 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | F24BC22CFD12E3FDE40D06BF54F35CF1 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 4BB4C19B5FC2401D45845789CC761577 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 583432D95424EC051AFE9E621DC41ACA | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | C5756AC3FE61266D326B43E904BC1A6C | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 44012367D7FFA7845B59462952AB9014 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | FC506F023FF71E3ACDEE4449C43E5F1B | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 322E11B552B897ADBC9ABCE51774988E | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | EC0832E5818E4CD753C4B2675C6179A1 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 63C37B2FEB0C0F71568B9771AC4DACE4 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 7BE4749D1D1F8950F7288C67A393B7F0 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | ADDF9E2B207AD9E89DB46E81A8121882 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 3E70DB4E5F5F60F2FDE7AEC38F4B30CD | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 268301147BC53722A898E1F38E6F026D | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 309FB15C08861BC063C19C326A29AC98 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 422C1A2BC53F72CAE5435F7F5598BDFD | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 30A6C9DC574075C5EA47F17EA9392C47 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 37A9570400CB0C0CD4E5273AE3232EB5 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | E59BCA5EE865FE5789C96B20A43F9207 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 919C861E6A6ABF88045476D5D92A5DE1 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 5FD98DE177F158C31960BF80272F2535 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 9439AA18598643131B3F8DD9E69AB294 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | F66A06166B73391C4C7A7A58CC6CE66C | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 79589FC33375A63BB44A8DE0B2B5DAF8 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 2C328EF3F2074D68729F329D4B2F8013 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 90E8FF73C7E78B99ABCD1FC22394F22E | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | A3AEC401831AF6EF1C75AFB1C50D96DA | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 42C7C8719D33AFCF36DC7D5D2594EB5B | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 375E51758336183B07CA7DBF771D2EF8 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | FA20E413002E17B938B2451552721027 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 09840FA1887528B20C98C408C8EB6E07 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 6AB2975E77EA4724FADF4CCB7250F0E9 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 51E7E34FFB5EF17FDE5FAFC5DF8F7212 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | F61E3F5ACFE1F861CECEA0A793D4F333 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 229236B39E92E629178419CB8A529E1A | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | D299AD2A61F325F5DA56AE7674D2F77D | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 53CA20232F358A9C256748403451EF14 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 41BE96D1B3BDF9E48D97AE153D6EFD45 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 213E0B42AF7CF1D0DCB75E378CA93512 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
RageBot Commands
| Command | Description |
|---|---|
| PING | Check status |
| 422 | Check status |
| 433 | Redefine nick name |
| -s | Silent mode |
| h 0f6969d7052da9261e31ddb6e88c136e | Uninstall bot. |
| h fd456406745d816a45cae554c788e754 | Download and run file |
| Botinfo | Sends botinfo |
| p2p | Starts p2p spread, Copy itself into following location- \Program Files\LimeWire\Shared \Program Files\eDonkey2000\incoming \Program Files\KAZAA \Program Files\Morpheus\My Shared Folder\ \Program Files\BearShare\Shared\ \Program Files\ICQ\Shared Files\ \Program Files\Grokster\My Grokster\ \My Downloads\ |
| commands | Sends following list of commands commands: botinfo/rarworm/xpl/p2p/vncstop/disconnect/reconnect/nick/restart/part/join/ |
| rarworm | Scan for .rar files and copy itself into .rar archives with name as ?self-installer.exe? |
| disconnect | Disconnect itself |
| b0tk1ller (off) | Starts a thread that scans for the running processes and terminate the process if process name matched with hardcoded process names. If parameter off is provided it stops the bot killer thread. |
| reconnect | Reconnects to the same server |
| reconnect.next | Same as reconnect since there is only one ip hardcoded in the bot. |
| nick (nickname) | Sets nick name if nickname not provided that generates random nickname |
| restart | Restarts itself |
| vncstop | Stop VNC scanning threads. |
| join (channel_name) | Join mentioned channel |
| xpl | Starts vnc and ftp scanning threads. |
Analysis by: Amandeep Kumar, Avinash Kumar, Nirmal Singh & Deepen Desai
Get the latest Zscaler blog updates in your inbox
Subscription confirmed. More of the latest from Zscaler, coming your way soon!
By submitting the form, you are agreeing to our privacy policy.