Sunday, 18 January 2015

[EN] Checking Illusion Bot

I was checking other stuff, and suddenly found "Illusion Bot". Seems to be a small IRC DDoS Bot. ;]

Let see...

Download:
You can easily find it on the web





Unzipped it looks like this:

Unzipped

I decide to check webfiles first... but I don't understand all of it... ;]

Sorry - don't understand

So I decide to use nice and friendly 'string' command. Connected with few grep's:

Commands to use for this bot
 Of course in those PHP files (index.php and upgrade.php) you can find more things, like
how this backdoor is installing itself in the WWW server, or how it's sending commands, etc.

Bots tables
Base64 decoded files, now looks like this:



...and commands again:





Point of view from IDA:




And this is my favourite :D

can you see it? ;)




More, maybe soon. ;)

Cheers,
o/

Posted by at
Labels: , , , ,

No comments:

Post a Comment

What do You think...?

Subscribe to: Post Comments (Atom)