Betabot botnets linked to hackforums users

So if you have been following my posts on this blog, you may have noticed a large number of posts about the “betabot” malware. Betabot is a http bot which is sold on hackforums.net. Despite a number of complaints about serious stability issues, it has become popular with some of the more dedicated script kiddy residents of that board, leading to the botnets posted on this blog.

Today I noticed an interesting feature included in betabot. The coder had apparently seen fit to include the hackforums nickname of the purchaser in each malware file. While the motive appears to be incompetence rather than malice, this has allowed me to link a number of the posted botnets with profiles on hackforums.

Marvid While Marvid has already left a number of clues about what botnets he controls (see his tag), this makes it official.
String: marvid82_v1$ Botnet

Cobraxxx
String: cobraxxx_v1$ Botnet

Solid006
String: solid006_v1$ Botnet

Shubhank
String: shubhank_v1$ Botnet

h4r3 (also on trojanforge)
String: h4r3_v1$ Botnet
(This betabot downloaded two citadel botnets)

Stringback
String: stringback_v1$ Botnet

Boing
String: boing_v1$ Botnet

Disfigure
String: 1427399_v1$ Botnet

Victory
String: 792476_v1$ Botnet

These are just the obvious ones. I’ll do a bit of searching and post some more soon.

Categories: Uncategorized

3 Comments

Anonymous - September 17, 2013 at 9:50 pm

I run across multiple botnets in my job. Would you care for additional undiscovered botnets?

Pig - September 18, 2013 at 9:13 pm

feel free to upload samples and add them here 🙂

Anonymous - September 20, 2013 at 8:32 am

please post new version of betabot ( 1.5 ) thanks

Comments are closed