Dissecting the 'Operation Dildos' amateur botnet

Summary:A security analyst has stumbled across an amateur botnet, and while taking it apart has discovered the command and control server it connects to, the number of other drones in the network, and a reference to dildos.

Security analyst Joe Giron has stumbled across a botnet that despite having the hallmarks of an amateur in action, still managed to more than double in size overnight.

Writing up his discovery on his blog, Giron said he found a number of machines at his work attacking other hosts.

"We isolated the exe responsible, because it was eating up 100 percent CPU (not exactly subtle)," he wrote.

Despite being easily detected in a "common sense" scan, VirusTotal reported that 34 of 46 virus scanners pick up on the malware.

Individual drones connect to an internet relay chat (IRC) server to accept commands from its author, effectively its command and control hub. Dissecting the executable in a disassembler, Giron was able to retrieve the IP address of the hub, the channel that drones are connecting to, and the passwords needed to issue commands to the drones. No attempt was made to hide the information, he noted, and some of the information does reveal a little about the author.

"The 'Operation Dildos' name deduces that our malware writers are either 14 or immature. I still chuckled, though."

Commands that an attacker can issue include what appear to be SYN and UDP floods, designed to overwhelm the victim and force them offline.

Giron attempted to log on to the command and control server last night, and at the time found that it had amassed 400 drones. However, when he logged on today, there were 1,131 drones.

The server still appears to be operational at the time of writing, with the drone count at 1,189 with ZDNet's last check.

The server also makes reference to magnesium.ddos.cat as its hostname, although no public DNS records currently exist. A leaked pastebin document from May last year does tie together the IP address and the "magnesium" server.

The document, in which an unknown user lists active internet connections, hints at what other services it may be running. These include an SSH server and a media streaming service.

The main ddos.cat website appears to have been defaced.

Giron's reverse engineering of the botnet has made all of the information available to anyone to take over the botnet.

"You have the password to issue commands, you have the IRC server address, you have the channel where the bots reside," he noted, without giving away the port that the server is running on. ZDNet has chosen not to publish that information, but it is easily determined.

Giron has also made the executable available for download for anyone else who wishes to dissect it themselves.

Topics: Security, Malware, Networking

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.