/>
X

Inside the botnets that never make the news

This gallery offers an inside view of those "beneath the radar" botnets that never make the news. The images have been collected throughout the past year by using open source intelligence, namely, by either joining the command and control IRC channel upon infection, or monitoring ongoing communications between the botnet masters.If you ever wanted to take an inside view of targeted-botnets primarily run by novice cybercriminals sometimes utilizing outdated, but very effective methods - this gallery is for you.
By Dancho Danchev on
303597.jpg
1 of 26 Dancho Danchev/ZDNet

This screenshot is a great example of the social networking activities taking place inside the cybercrime ecosystem. The modest botnet consisting of 78 infected hosts has a LOL (abbreviation for laughing out loud) sign added by a competing botnet master aiming to expose a scammer pretending to have a much bigger botnet.

2 of 26 Dancho Danchev/ZDNet

In this screenshot, the botnet master is advertising the obfuscated command and control interface of his commercial malware. In the deobfuscated screnshot, he's demonstrating the dropping of a presumably undetectable piece of malware which botnet masters update on an hourly/daily basis.

303599.jpg
3 of 26 Dancho Danchev/ZDNet

This targeted botnet consists of 19,528 infected hosts, the result of a spreading malware campaign across the MSN instant messaging network. The botnet has naturally blurred the exact message of the campaign, but the screenshot demonstrates the disturbing clickability of the campaign.

303600.png
4 of 26 Dancho Danchev/ZDNet

In this 63 infected hosts botnet, the botnet master is playing around with it by launching another MSN malware spreading campaign, and injecting the malware process within legitimate applications.

303601.png
5 of 26 Dancho Danchev/ZDNet

These three botnets (5,225, 3,771 and 929 infected hosts) are a good example of how the botnet master diversifying the infection vectors by launching multiple campaigns, thereby building multiple botnets. What he's forgetting is the fact that not only is he using IRC as command and control, but all the botnets are on the same server.

303602.jpg
6 of 26 Dancho Danchev/ZDNet

Yet another targeted botnet campaign in progress that has already managed to infect 621 hosts.

303603.jpg
7 of 26 Dancho Danchev/ZDNet

The botnet master in this 1017 infected hosts botnet is so paranoid he's blurred the entire screenshot

303604.jpg
8 of 26 Dancho Danchev/ZDNet

Botnet master t0nix has also extensively blurred any clues that may lead to exposing his 2,373 infected hosts botnet. What he's not taking into consideration is that among the infected hosts are several ones exclusively used for monitoring purposes.

303605.jpg
9 of 26 Dancho Danchev/ZDNet

28, 118 infected hosts are controlled by cybix through the use of multiple -- some outdated -- infection vectors.

303606.jpg
10 of 26 Dancho Danchev/ZDNet

Yet another botnet campaign in progress.

303607.jpg
11 of 26 Dancho Danchev/ZDNet

An inside view of the botnet masters desktop while he's advertising a modest 820 infected hosts botnet

303608.jpg
12 of 26 Dancho Danchev/ZDNet

Botnet master polx is actively infecting new hosts, 1182 so far.

303609.jpg
13 of 26 Dancho Danchev/ZDNet

What's worth pointing out about this particular botnet is how a single command allows the botnet master to increase the lifecycle of the campaign by injecting the malware in a multitude of local files.

303610.jpg
14 of 26 Dancho Danchev/ZDNet

Old netblocks scanning techniques aren't dead just yet, at least from the perspective of this targeted 1937 infected hosts botnet.

303611.jpg
15 of 26 Dancho Danchev/ZDNet

A relatively big botnet compared to the majority of the ones already discussed.

303612.jpg
16 of 26 Dancho Danchev/ZDNet

Another botnet campaign in progress with 1967 hosts so far.

303613.png
17 of 26 Dancho Danchev/ZDNet

74,901 infected hosts, with an interesting message of the day at the IRC server since the botnet master is claiming a violation of his privacy.

303614.jpg
18 of 26 Dancho Danchev/ZDNet

Botnet master ENO_2 has already managed to infect 1012 hosts, but forgot to blur the Albanian channel he's

303615.jpg
19 of 26 Dancho Danchev/ZDNet

This botnet is a an example of how insecure management of removable media in a combination with the use of AUTORUN, can easily result in a botnet like this one.

303616.jpg
20 of 26 Dancho Danchev/ZDNet

Channel #pwn is the home of a 126k+ botnet, behind the first screenshot are more botnets controlled by the same individual.

303617.jpg
21 of 26 Dancho Danchev/ZDNet

A second inside peek into the removable media/USB botnet.

303618.jpg
22 of 26 Dancho Danchev/ZDNet

Botnet master xdRl has already managed to infect 1323 hosts.

303619.jpg
23 of 26 Dancho Danchev/ZDNet

Botnet master Sonicx is currently operating a botnet consisting of 13,394 infected hosts and is using them as distributed scanning tools in order to expand the botnet.

303620.jpg
24 of 26 Dancho Danchev/ZDNet

Botnet master crim has already managed to infect 40,337 hosts from all over the world.

303621.png
25 of 26 Dancho Danchev/ZDNet

Botnet masters SL, Woopie and xd maintain a 24,144 infected hosts botnet.

303622.jpg
26 of 26 Dancho Danchev/ZDNet

If someone thought that Conficker is the only botnet exploiting ms0867 flaws, they'd be wrong. The copycats taking advantage of IRC command and control servers know how to exploit the window of opportunity here.

Related Galleries

Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza
img-8825

Related Galleries

Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza

26 Photos
A weekend with Google's Chrome OS Flex
img-9792-2

Related Galleries

A weekend with Google's Chrome OS Flex

22 Photos
Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup
shutterstock-1024665187.jpg

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

8 Photos
Inside a fake $20 '16TB external M.2 SSD'
Full of promises!

Related Galleries

Inside a fake $20 '16TB external M.2 SSD'

8 Photos
Hybrid working, touchscreen MacBook hopes, cybersecurity concerns, and more: ZDNet's tech research roundup
Asian woman working at a desk in front of a computer and calculator

Related Galleries

Hybrid working, touchscreen MacBook hopes, cybersecurity concerns, and more: ZDNet's tech research roundup

8 Photos
Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup
Person seated at a booth in a cafe looks at their phone and laptop.

Related Galleries

Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup

10 Photos
Drive Electric Day: A dizzying array of EVs in sunny Florida
ca3b4019-26c5-4ce0-a844-5aac39e2c34b.jpg

Related Galleries

Drive Electric Day: A dizzying array of EVs in sunny Florida

16 Photos