Inside the botnets that never make the news

Inside the botnets that never make the news

Summary: This gallery offers an inside view of those "beneath the radar" botnets that never make the news. The images have been collected throughout the past year by using open source intelligence, namely, by either joining the command and control IRC channel upon infection, or monitoring ongoing communications between the botnet masters.If you ever wanted to take an inside view of targeted-botnets primarily run by novice cybercriminals sometimes utilizing outdated, but very effective methods - this gallery is for you.


 |  Image 15 of 26

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Thumbnail 8
  • Thumbnail 9
  • Thumbnail 10
  • Thumbnail 11
  • Thumbnail 12
  • Thumbnail 13
  • Thumbnail 14
  • Thumbnail 15
  • Thumbnail 16
  • Thumbnail 17
  • Thumbnail 18
  • Thumbnail 19
  • Thumbnail 20
  • Thumbnail 21
  • Thumbnail 22
  • Thumbnail 23
  • Thumbnail 24
  • Thumbnail 25
  • Thumbnail 26
  • Old netblocks scanning techniques aren't dead just yet, at least from the perspective of this targeted 1937 infected hosts botnet.

  • A relatively big botnet compared to the majority of the ones already discussed.

  • Another botnet campaign in progress with 1967 hosts so far.

Topics: Malware, Browser, Open Source, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories


Log in or register to join the discussion
  • Block IRC traffic completely

    That's the solution. IRC traffic has no place in
    business environments.
    • How pray tell?

      You're forgetting, any type of traffic can go over any port. It is not a simple firewall rule. It either requires deep packet inspection (which doesn't do any good if it is SSH'ed, or a lot of manual labor. Your premise is right, but "the devil is in the details."
      • True

        Yes, devil is in the details. This will take some substantial resources to inspect all of packets as they come in though your normally open ports to prevent these botnet from controlling your system if they are infected by any botnet.
        Not getting the bot in your system in the first place a better method than trying to thwart the botmaster from getting to your afterwards.
        If you have no bot then most likely the botmaster will not control anything.
        • Excuse me, but what is a "BOT"? Anybody

          Excuse me, but what is a "BOT"? Anybody have a simple answer for a simple minded person like me.


          • I'd answer if I thought you were watching...

            this post.
    • ... uh, how do you propose to do that?

      IRC can be set to use literally ANY port, not just the well-publicised ports that are used by most casual IRC users. The same problem occurs when you block known IRC hosts (either by domain or IP range) - all you're doing is blocking the major IRC nets. Botnet operators can set up their own servers/nets, using IRC server 'ware available for free for just about any OS.

      Stateful packet inspection's the only viable method, and this gets expensive in terms of processing power needed to scan each inbound and outbound packet. You CAN impose the CIS version of Social Engineering with a "Thou Shalt Not" edict, but unless you have a method of catching someone breaking it, it's hard to enforce.

      It's better to close the vulnerabilities at the point of infection/subversion, by aggressive anti-malware scanning, IM proxy servers, or straight-up blocking of the software from the desktops via a GPO.
      • Exactly how we did it....

        except we needed to do more application patching to reduce our software vulnerability posture.
  • Image 5...

    Did you do the obfuscating? If not, how do you know they're all on the same server?
    Steve Goldman
  • No honor among thieves.

    I like the slide of a copyright disclaimer for one of the botnets.
    "Botnet with anti RIAA, anti-piracy disclaimer".
    Who is this person going to call any violation of this policy, the "Ghostbusters"?
    It is interesting that all of them are using some IRC application so if you wanted to stop them you need to stop illicit IRC traffic.
  • RE: Botnet exploiting MS0867 flaws (Inside the botnets that never make the news)

    you cant block IRC channles many people use thous channles for legit reason like some of the good mmorpg Games that we have on the net.
    and other websit that provide you with music use the IRC world so doing that is only gonna cut people nose off