Dissecting the 'Operation Dildos' amateur botnet

A security analyst has stumbled across an amateur botnet, and while taking it apart has discovered the command and control server it connects to, the number of other drones in the network, and a reference to dildos.

Security analyst Joe Giron has stumbled across a botnet that despite having the hallmarks of an amateur in action, still managed to more than double in size overnight.

Writing up his discovery on his blog, Giron said he found a number of machines at his work attacking other hosts.

"We isolated the exe responsible, because it was eating up 100 percent CPU (not exactly subtle)," he wrote.

Despite being easily detected in a "common sense" scan, VirusTotal reported that 34 of 46 virus scanners pick up on the malware.

Individual drones connect to an internet relay chat (IRC) server to accept commands from its author, effectively its command and control hub. Dissecting the executable in a disassembler, Giron was able to retrieve the IP address of the hub, the channel that drones are connecting to, and the passwords needed to issue commands to the drones. No attempt was made to hide the information, he noted, and some of the information does reveal a little about the author.

"The 'Operation Dildos' name deduces that our malware writers are either 14 or immature. I still chuckled, though."

Commands that an attacker can issue include what appear to be SYN and UDP floods, designed to overwhelm the victim and force them offline.

Giron attempted to log on to the command and control server last night, and at the time found that it had amassed 400 drones. However, when he logged on today, there were 1,131 drones.

The server still appears to be operational at the time of writing, with the drone count at 1,189 with ZDNet's last check.

The server also makes reference to magnesium.ddos.cat as its hostname, although no public DNS records currently exist. A leaked pastebin document from May last year does tie together the IP address and the "magnesium" server.

The document, in which an unknown user lists active internet connections, hints at what other services it may be running. These include an SSH server and a media streaming service.

The main ddos.cat website appears to have been defaced.

Giron's reverse engineering of the botnet has made all of the information available to anyone to take over the botnet.

"You have the password to issue commands, you have the IRC server address, you have the channel where the bots reside," he noted, without giving away the port that the server is running on. ZDNet has chosen not to publish that information, but it is easily determined.

Giron has also made the executable available for download for anyone else who wishes to dissect it themselves.