- See The Difference
- What is Zero Trust The strategy on which Zscaler was built
- How Zscaler Delivers Zero Trust A platform that enforces policy based on context
- Zero Trust Resources Learn its principles, benefits, strategies
![Zscaler transformation]( "Zscaler transformation")
Accelerate your transformation
Learn MoreProtect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk.
- Customer Testimonials Hear first-hand transformation stories
- Case Studies Learn about pioneering Zscaler customers
- Analyst Recognition Industry experts weigh in on Zscaler
- See the Zscaler Cloud in Action Traffic processed, malware blocked, and more
- Experience the Difference Get started with zero trust
![Zscaler transformation]( "Zscaler transformation")
Accelerate your transformation
Learn MoreProtect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk.
- Platform
- Platform Overview Unified platform for transformation
- Products Integrated services, infinitely scalable
![Zscaler transformation]( "Zscaler transformation")
Accelerate your transformation
Learn MoreProtect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives
- Technologies Global proxy-based cloud architecture
- Capabilities Integrated services, infinitely scalable
![Gartner Report]( "Gartner Report")
Gartner Magic Quadrant Leader
Read the reportZscaler: The Only Leader in the 2020 Gartner Magic Quadrant for Secure Web Gateways
- Solutions
- Modern Workplace Enablement
- Security Transformation
- Infrastructure Modernization
- Industries & Partners
- Modern Workplace Enablement Overview Create fast, secure experiences for users everywhere
- Secure Work-from-anywhere Seamless access for the hybrid workforce
![Zscaler workplace enablement]( "Zscaler workplace enablement")
Make hybrid work possible
Get startedSecure work from anywhere, protect data, and deliver the best experience possible for users
- Security Transformation Overview A modern cloud approach
- Prevent Cyberthreats Prevent phishing, ransomware, and other attacks
- Prevent Data Loss Protect data everywhere from exposure or theft
![Zscaler capabilities]( "Zscaler capabilities")
The World’s Most Effective Ransomware Protection
Get StartedRansomware is the biggest threat to digital business. Learn how to take a proactive, zero trust approach to safeguarding your enterprise
- Infrastructure Modernization Overview Enable the new world of cloud and mobility
- Simplify Branch Connectivity Simplify and secure direct-to-cloud connections
- Secure Cloud Connectivity Secure connectivity between clouds and workloads
![Zscaler infrastructure modernization]( "Zscaler infrastructure modernization")
Enable the Agile Branch
Watch NowYour network security is costing more than it’s worth. See how five companies drove simplicity, savings and security
- Industries Our ecosystem of zero trust partners
- Partner Integrations Simplified deployment and management
![Zscaler industry partners]( "Zscaler industry partners")
Secure your ServiceNow Deployment
Get StartedIt’s time to protect your ServiceNow data better and respond to security incidents quicker
- Resources
- Content Library Explore topics that will inform your journey
- Blog Perspectives from technology and transformation leaders
- Tools Training, demos and more
- CIO Library Essential resources for enterprise leaders
- Webinars and Demos A first-hand look into important topics
- Executive Insights App Security insights at your fingertips
![Zscaler resources]( "Zscaler resources")
- Security & Threat Analytics Threat dashboards, cloud activity, IoT, and more
- Security Advisories News about security events and protections
- Vulnerability Disclosure Program Webinars, training, demos, and more
- Trust Portal Zscaler cloud status and advisories
![Zscaler resources]( "Zscaler resources")
- The Cloud-First Architect Tools and best practices for the cloud
- CIO Insights Curated resources for technology leaders
- Zenith Community Discuss ideas and issues with peers
- CXO REvolutionaries Events, insights, and resources for CXOs
- Training and Certifications Ongoing programs via Zero Trust Academy
- Cloud Security Alliance Securing the cloud through best practices
![Zscaler resources]( "Zscaler resources")
- Company
- About Zscaler How it began, where it’s going
- Leadership Meet our management team
- Investor Relations News, stock information, and quarterly reports
- Customers Learn about their transformation journeys
- Compliance Our adherence to rigorous standards
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler Careers
Apply NowJoin a recognized leader in Zero trust to help organization transform securely
- Media Center News, blogs, events, and more
- Media Kit Photos, logos, and other brand assets
- News and Press Zscaler in the news
- Events Upcoming opportunities to meet with Zscaler
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler Careers
Apply NowJoin a recognized leader in Zero trust to help organization transform securely
- Partner Portal Tools and resources for Zscaler partners
- Summit Partner Program Collaborating to ensure customer success
- System Integrators Helping joint customers become cloud-first companies
- Service Providers Delivering an integrated platform of services
- Technology Deep integrations simplify cloud migration
- Partner Inquiry Become a Zscaler partner
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler Careers
Apply NowJoin a recognized leader in Zero trust to help organization transform securely
Insights and Research
IRC Botnets Alive, Effective & Evolving
Introduction
An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel. It usually involves a Botnet operator controlling the IRC bots through a previously configured IRC server & channel. The Botnet operator, after appropriate checks, periodically moves the IRC bot to a new IRC channel to thwart researchers & automated sandboxes from monitoring the commands.In this blog, we will look at one of the most prevalent IRC based malware families - DorkBot, followed by three additional IRC Botnet families - RageBot, Phorpiex, and IRCBot.HI.
In our telemetry data from last 3 months we have seen following URL serving the DorkBot installer:
api1[.]wipmania[.]com[.]wipmsc[.]ru/api1[.]gif (Check APPENDIX section for additional info.)
The malware executable checks for two command line arguments
- "-aav_start" - It terminates
- "–shell" - It starts the infection cycle, creates a registry key "Windows Update" to ensure persistence, and creates a mutex named “Windows_Shared_Mutex_231_c000900” to ensure only one copy of Dorkbot is running
If no command line argument is provided, it starts injecting threads into other processes without performing the above mentioned actions.
It first injects a thread into svchost.exe and performs the following actions:
- Copy itself as "%APPDATA% \Update\Explorer.exe" on the infected system.
- Creates a Run registry key with the name of "Windows Explorer Manager" for the dropped executable copy.
- It creates a thread that monitors the Run key created in step 2 & recreates it if missing, every 10,000 seconds.
- It also creates a thread that copies the file created in step 1 to file name “\c731200” in the "%APPDATA%” folder.
- It then creates a remote thread in mspaint.exe that tries to resolve a predetermined list of domains as shown in image below:
 |
| DorkBot - Hardcoded Domains |
The main Dorkbot binary (MD5-E7E48AD1A2A57CC94B56965AA8B476DA) was found embedded in the resource section which is extracted and executed at runtime.
 |
| DorkBot - memory strings |
It also creates a remote thread in the “calc.exe” process that performs the following actions:
- Creates a mutex with the name “c731200”
- Checks for Internet connectivity using API InternetCheckConnection with www.google.com as the URL.
- It then tries to download files from 20 different URLs and saves the downloaded file with random file names in the %Temp% folder. File names are shown in the screenshot below:
 |
| DorkBot- Random file names |
All the URLs are hardcoded in the DorkBot and are encrypted via a custom encryption method.
 |
| DorkBot - Encrypted URLs |
 |
| DorkBot - Pseudocode of decryption function |
Below is the full list of URLs from from where it tries to download additional malware:
| URL |
|---|
| http://api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| http://api2[.]wipmania[.]com[.]wipmsc[.]ru/api2.gif |
| http://api3[.]wipmania[.]com[.]wipmsc[.]ru/api3.gif |
| http://api4[.]wipmania[.]com[.]wipmsc[.]ru/api4.gif |
| http://api5[.]wipmania[.]com[.]wipmsc[.]ru/api5.gif |
| http://api6[.]wipmania[.]com[.]wipmsc[.]ru/api6.gif |
| http://api7[.]wipmania[.]com[.]wipmsc[.]ru/api7.gif |
| http://api8[.]wipmania[.]com[.]wipmsc[.]ru/api8.gif |
| http://api9[.]wipmania[.]com[.]wipmsc[.]ru/api9.gif |
| http://api[.]wipmania[.]com[.]fowd[.]ru/api.gif |
| http://api[.]wipmania[.]com[.]selfmg[.]ru/api.gif |
| http://api[.]wipmania[.]com[.]lotus5[.]ru/api.gif |
| http://api[.]wipmania[.]com[.]wipmania[.]ru/lkwaxd.gif |
| http://api[.]wipmania[.]com[.]lotys[.]ru/vjojai.gif |
| http://api[.]wipmania[.]com[.]bwats[.]ru/ofjtme.gif |
| http://api[.]wipmania[.]com[.]stcus[.]ru/apsphv.gif |
| http://api[.]wipmania[.]com[.]cmoen[.]ru/zkmchm.gif |
| http://api[.]wipmania[.]com[.]artbcon3[.]ru/frflec.gif |
| http://api[.]wipmania[.]com[.]yeloto[.]ru/zwfmwd.gif |
| http://update[.]wipmania[.]com[.]raulhost[.]ru/logo.gif |
DorkBot
Dorkbot represents a family of information stealing worms that uses IRC based Command & Control (C&C) server communication. Dorkbot is also known as ngrBot due to it's similar feature set. It is one of the most powerful IRC based botnets that generates revenue for the botnet operator via the following features:
- Capable of spreading via chat messengers, USB drives, & social networking sites
- Supports multiple Distributed Denial of Service (DDoS) attack types
- Capable of stealing login credentials for multiple HTTP and FTP sites
- Blocks security update related websites to evade detection
- Capable of downloading, installing and uninstalling other malware payloads
RageBot, Phorpiex, and IRCBot.HI Analysis –
From our 3 months telemetry data, we have seen the following URLs serving these IRC bots–
URL | MD5 | Malware Name |
|---|---|---|
Ernsthaft[.]su/ert[.]exe | 6C738D0A737D16C87EB40C24C5F594A6 | IRCBot.HI |
Mslighton[.]net/uploads/io[.]exe | C73DBA5827728EEAC59951B14AB329F4 | RageBot |
Colorfashionbox[.]com/u[.]exe | F919C902AC07AF339BBD753E6EFF89C7 | Phorpiex |
Dumanfun[.]com/t[.]exe | DBC477DF90D4ECB37B698C571DE90D11 | Phorpiex |
In addition to IRC based C&C communication, all these bots have following similarity in their operation:
1. Checks execution environment - Virtual Environment, Honeypot or Sandbox
 |
| RageBot - Check via Username |
 |
| Phorpiex - Check via DLL name |
 |
| IRCBot.HI - Check via DLL & Product IDs |
It is important to note that IRCBot.HI checks the ProductID value from the registry against multiple hardcoded ProductID values. It terminates execution if any of them matches. We believe that these hardcoded ProductIDs were harvested from various online public sandboxes.
2. Creates Mutex
RageBot – It creates a mutex with name “ie”
 |
| RageBot - Mutex |
Phorpiex – It creates a mutex with name “t2”, We have also seen some Phorpiex samples which were creating mutexes with name “t3” and “t4”.
 |
| Phorpiex - Mutex |
IRCBot.HI – During installation it creates a mutex with the name MAIN_<RandomNumber>. When it runs from the installation path, it creates a mutex with the name BACKUP_<RandomNumber>
 |
| IRCBot.HI - Mutex |
3. Installation
RageBot- It installs itself in “%ProgramFiles%\Common Files\System” or “C:\DOCUME~1\” directory. The malware uses ragebot.exe as file name for the dropped file.
 |
| RageBot – Building installation path |
If it is not able to create the file at the above mentioned locations then it tries to install itself in “C:\RECYCLER” directory.
Phorpiex – It installs itself into %WINDIR% , %USERPROFILE% , %APPDATA% and %TEMP% locations by creating a folder “M-50504578520758924620” containing a file named winmgr.exe.
 |
| Phorpiex – Pseudocode of Installations function |
It then deletes itself after installation by running a batch file dropped in the %TEMP% folder.
IRCBot.HI – During our analysis it installed itself into %WINDIR% and %USERPROFILE%. In %WINDIR%, it creates a folder named 1756410959 and drops copy of itself as lsass.exe. In %USERPROFILE%, it drops copy of itself as ctfmon.exe.
 |
| IRCBot.HI – Installing in different locations |
4. Adding autostart feature using Run registry key.
RageBot – Creates Run Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Windows Update”
Phorpiex – Creates Run Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Microsoft Windows Manager”
IRCBot.HI – Creates Run Once Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce and key name as – “*<RandomNumber>”
 |
| IRCBot.Hi – RunOnce Entry |
5. Adding itself to Windows Firewall trusted application list
All these bots add themselves to the Windows Firewall’s exception list by modifying the key
"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List"
6. Propagation method
RageBot –
- It copies itself to the following P2P & Instant messenger application folders for spreading
- \Program Files\LimeWire\Shared
- \Program Files\eDonkey2000\incoming
- \Program Files\KAZAA
- \Program Files\Morpheus\My Shared Folder\
- \Program Files\BearShare\Shared\
- \Program Files\ICQ\Shared Files\
- \Program Files\Grokster\My Grokster\
- \My Downloads\
- It also searches for RAR files and copies itself inside them.
Phorpiex –
A. Creates a shortcut in a removable device
B. Creates an autorun.inf file in removable devices to autorun the malicious file
Below is a sample of the C&C communication for this bot:
A. Creates a shortcut in a removable device
- It checks for all removable devices
- Copies itself with a different name
- Creates a shortcut to an already present folder and sets the path of a shortcut to run the malicious file
- Hides the malicious file and folder by setting a hidden attribute for both
 |
| Phorpiex - Creating Shortcuts |
B. Creates an autorun.inf file in removable devices to autorun the malicious file
- Checks for all removable devices.
- Copies itself with a name of windrv.exe
- Creates an autorun.inf file to autorun the malicious file
 |
| Phorpiex - Creating autorun.inf file |
IRCBot.HI -
We identified strings related to Skype in memory during our analysis that would suggest this bot is capable of spreading via Skype.
 |
| IRCBot.HI - Skype inject related string |
7. IRC based Command & Control communication
All these bots use the IRC protocol for C&C communication. Bots perform different actions based on the commands received from the remote C&C server.
RageBot – During our analysis, this RageBot sample was trying to connect to vnc.e-qacs[.]com on port 6668. Upon successful connection, the following initial communication was observed:
 |
| RageBot - C&C Communication |
You can find full list of C&C commands in the appendix section.
Phorpiex – It tries to connect to trksrv[.]su on port 5050. Some other IRC servers it tries to connect to are - trik[.]su , srv50[.]ru and trkbox[.]ru. Upon successful connection, it sends the following IRC commands:
NICK `|USA|hihdlxu
USER x "" "x" :x
Some other commands:
001 -> Sends JOIN #b message to server
PING -> Checks status
.j <channel name> - > Join given channel
bye -> Uninstall bot
 |
| Phorpiex - C&C Communication |
IRCBot.HI - It tries to connect to irc[.]ernsthaft[.]su or irc[.]ded-rrwqwzjzjris[.]com on port 6667.
Upon successful connection, it sends the following IRC commands:
PASS ddos
USER <8 char string> <1 digit number> * :<8 char string>
NICK n[USA|A|D|<OS_NAME><OS_TYPE>|1c]<8 char string>
JOIN #PlanB
Below is a sample of the C&C communication for this bot:
 |
| IRCBot.HI - C&C Communication |
Conclusion
In this era of sophisticated Botnets with multiple C&C communication channels, custom protocols, and encrypted communication; we continue to see a steady number of new IRC based Botnet payloads being pushed out in the wild on a regular basis. As we saw in our analysis, IRC based Botnet families continue to evolve in terms of sophisticated features incorporated in the bots.
ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.
Appendix
DorkBot installer URLs and MD5
RageBot Commands
Analysis by: Amandeep Kumar, Avinash Kumar, Nirmal Singh & Deepen Desai
In this era of sophisticated Botnets with multiple C&C communication channels, custom protocols, and encrypted communication; we continue to see a steady number of new IRC based Botnet payloads being pushed out in the wild on a regular basis. As we saw in our analysis, IRC based Botnet families continue to evolve in terms of sophisticated features incorporated in the bots.
ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.
Appendix
DorkBot installer URLs and MD5
| TIME | MD5 | URL |
| Jan-15 | E49B3EF80FF4DB4DB1D5220930EC7DAD | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | CC9D72663D2495779B0C81AEE34592E7 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | A98472BCAA010433A80410C3483C90E1 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | EEFC72EFFD96FFD11EC2D69CD6248AC5 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 4E7149C1401F5A0BC34E3AAD6070F4BE | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 5B14C029570F40BDDC73669FE4EFEFB0 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 4C54D366B04F9980F038CB6FC62603D0 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 6E4282023D6A19B27C30DB5D54CEE32C | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | E7B61B2BE23167965079468DF36497EF | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | DC8CBA3F91A34F0D1EFA79BE4495B305 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 8AAD291926335F28B4402830252556F7 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 8036A36C372602CFA049996B9F5BD6AE | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 8036A36C372602CFA049996B9F5BD6AE | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 7257FD6F90B5AA9BB249EA74B764A401 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | B186525826856E881E879C6C44BB2452 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 220188F1BD2E10BA0751383EA0946DBA | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 2DB9BD0ABD99F3285721D358A6816737 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | EBEB072B8336F5FD35328227A60B271C | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 01303BEFE5938C3C748C4E058A8A6AE9 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 82E2CA09BDEB3ABF8B70D848F66793E7 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 0B2E7AE8DF2ADA1E86A3A25FC248C6FE | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 430560EBD3BE6A680BFA6409F332585B | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | F79AF05D9B43F99EB6FC64DA2C129F67 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 384252746FAFF8D264E6A8CA450B6301 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | C9636239ED698834CABA78E1F9F8DB0F | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 9C42746376CC7D265D6BF554B960EDE2 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 67B08BF0F2C89DE4E0D1C36BAF7193B9 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 735B6602B4BD1D71246F43642D6873AA | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 7D9AF61AE962443D586BFC8A86100B5F | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 05ABC48A4BEE624D7952954CF14F699D | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | FF638ACA7D8D10ED8AD2DE1BC333123D | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | AA4085182E8F10FEC8EBC3F6D3612321 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 1A54593E7C82DD1B16B7626FCB211DA1 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Jan-15 | 235E67A88907DA68BFBB9264A00A31E3 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 2CBD9428DEE885C30258BF0C38299138 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | CCDC5EC2085536160813658BE549F0B6 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | CBD732F87901EE03820DBA41D0D2895A | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | BE5E43F2786D628B7AA8689C2108247D | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 5AEC4A3B3E0AEB3B13B98086FC81D797 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 6034814DB1C25A092C39F251F29B2216 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 6CAE0B51E5EAD86EEA47C4068287650A | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 451E324D3CB601E00FA041D6FDE1C4EC | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 9AEB3A097F11887D89EC08D337814B6B | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 8F9F97232DBE283BC5E7B6AB4DD580B8 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | F57A08679380F3FDFD369528FE5CE854 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | F24BC22CFD12E3FDE40D06BF54F35CF1 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 4BB4C19B5FC2401D45845789CC761577 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 583432D95424EC051AFE9E621DC41ACA | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | C5756AC3FE61266D326B43E904BC1A6C | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 44012367D7FFA7845B59462952AB9014 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | FC506F023FF71E3ACDEE4449C43E5F1B | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 322E11B552B897ADBC9ABCE51774988E | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | EC0832E5818E4CD753C4B2675C6179A1 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 63C37B2FEB0C0F71568B9771AC4DACE4 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Feb-15 | 7BE4749D1D1F8950F7288C67A393B7F0 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | ADDF9E2B207AD9E89DB46E81A8121882 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 3E70DB4E5F5F60F2FDE7AEC38F4B30CD | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 268301147BC53722A898E1F38E6F026D | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 309FB15C08861BC063C19C326A29AC98 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 422C1A2BC53F72CAE5435F7F5598BDFD | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 30A6C9DC574075C5EA47F17EA9392C47 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 37A9570400CB0C0CD4E5273AE3232EB5 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | E59BCA5EE865FE5789C96B20A43F9207 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 919C861E6A6ABF88045476D5D92A5DE1 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 5FD98DE177F158C31960BF80272F2535 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 9439AA18598643131B3F8DD9E69AB294 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | F66A06166B73391C4C7A7A58CC6CE66C | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 79589FC33375A63BB44A8DE0B2B5DAF8 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 2C328EF3F2074D68729F329D4B2F8013 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 90E8FF73C7E78B99ABCD1FC22394F22E | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | A3AEC401831AF6EF1C75AFB1C50D96DA | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 42C7C8719D33AFCF36DC7D5D2594EB5B | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 375E51758336183B07CA7DBF771D2EF8 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | FA20E413002E17B938B2451552721027 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 09840FA1887528B20C98C408C8EB6E07 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 6AB2975E77EA4724FADF4CCB7250F0E9 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 51E7E34FFB5EF17FDE5FAFC5DF8F7212 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | F61E3F5ACFE1F861CECEA0A793D4F333 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 229236B39E92E629178419CB8A529E1A | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | D299AD2A61F325F5DA56AE7674D2F77D | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 53CA20232F358A9C256748403451EF14 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 41BE96D1B3BDF9E48D97AE153D6EFD45 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
| Mar-15 | 213E0B42AF7CF1D0DCB75E378CA93512 | api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif |
RageBot Commands
| Command | Description |
|---|---|
| PING | Check status |
| 422 | Check status |
| 433 | Redefine nick name |
| -s | Silent mode |
| h 0f6969d7052da9261e31ddb6e88c136e | Uninstall bot. |
| h fd456406745d816a45cae554c788e754 | Download and run file |
| Botinfo | Sends botinfo |
| p2p | Starts p2p spread, Copy itself into following location- \Program Files\LimeWire\Shared \Program Files\eDonkey2000\incoming \Program Files\KAZAA \Program Files\Morpheus\My Shared Folder\ \Program Files\BearShare\Shared\ \Program Files\ICQ\Shared Files\ \Program Files\Grokster\My Grokster\ \My Downloads\ |
| commands | Sends following list of commands commands: botinfo/rarworm/xpl/p2p/vncstop/disconnect/reconnect/nick/restart/part/join/ |
| rarworm | Scan for .rar files and copy itself into .rar archives with name as ?self-installer.exe? |
| disconnect | Disconnect itself |
| b0tk1ller (off) | Starts a thread that scans for the running processes and terminate the process if process name matched with hardcoded process names. If parameter off is provided it stops the bot killer thread. |
| reconnect | Reconnects to the same server |
| reconnect.next | Same as reconnect since there is only one ip hardcoded in the bot. |
| nick (nickname) | Sets nick name if nickname not provided that generates random nickname |
| restart | Restarts itself |
| vncstop | Stop VNC scanning threads. |
| join (channel_name) | Join mentioned channel |
| xpl | Starts vnc and ftp scanning threads. |
Analysis by: Amandeep Kumar, Avinash Kumar, Nirmal Singh & Deepen Desai