Skip to content

Hide Navigation Hide TOC

Edit

Botnet

botnet galaxy

Authors
Authors and/or Contributors
Various

ADB.miner

A new botnet appeared over the weekend, and it's targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.

The botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system's native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system's most sensitive features.

Only devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360's Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.

Internal MISP references

UUID 6d7fc046-61c8-4f4e-add9-eebe5b5f4f69 which can be used as unique global reference for ADB.miner in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Bagle

Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bagle.

Known Synonyms
Beagle
Lodeight
Mitglieder
Internal MISP references

UUID d530ea76-9bbc-4276-a2e3-df04e0e5a14c which can be used as unique global reference for Bagle in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2004
Related clusters

To see the related clusters, click here.

Marina Botnet

Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Marina Botnet.

Known Synonyms
BOB.dc
Cotmonger
Damon Briant
Hacktool.Spammer
Kraken
Internal MISP references

UUID 7296f769-9bb7-474d-bbc7-5839f71d052a which can be used as unique global reference for Marina Botnet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Torpig

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Torpig.

Known Synonyms
Anserin
Sinowal
Internal MISP references

UUID 415a3667-4ac4-4718-a6ea-617540a4abb1 which can be used as unique global reference for Torpig in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2005
Related clusters

To see the related clusters, click here.

Storm

The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of "zombie" computers (or "botnet") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm.

Known Synonyms
Dorf
Ecard
Nuwar
Peacomm
Zhelatin
Internal MISP references

UUID 74ebec0c-6db3-47b9-9879-0d125e413e76 which can be used as unique global reference for Storm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2007

Rustock

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rustock.

Known Synonyms
Costrat
RKRustok
Internal MISP references

UUID 9bca63cc-f0c7-4704-9c5f-b5bf473a9b43 which can be used as unique global reference for Rustock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2006
Related clusters

To see the related clusters, click here.

Donbot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Donbot.

Known Synonyms
Bachsoy
Buzus
Internal MISP references

UUID 27a7fd9b-ec9a-4f4a-b3f5-a3b81c71970a which can be used as unique global reference for Donbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Cutwail

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cutwail.

Known Synonyms
Mutant
Pandex
Internal MISP references

UUID 35e25aad-7c39-4a1d-aa17-73fa638362e8 which can be used as unique global reference for Cutwail in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2007
Related clusters

To see the related clusters, click here.

Akbot

Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.

Internal MISP references

UUID 6e1168e6-7768-4fa2-951f-6d6934531633 which can be used as unique global reference for Akbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2007
Related clusters

To see the related clusters, click here.

Srizbi

Srizbi BotNet, considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Srizbi.

Known Synonyms
Cbeplay
Exchanger
Internal MISP references

UUID 6df98396-b52a-4f84-bec2-0060bc46bdbf which can be used as unique global reference for Srizbi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2007

Lethic

The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.

Internal MISP references

UUID a73e150f-1431-4f72-994a-4000405eff07 which can be used as unique global reference for Lethic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2008
Related clusters

To see the related clusters, click here.

Xarvester

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Xarvester.

Known Synonyms
Pixoliz
Rlsloup
Internal MISP references

UUID e965dd3a-bfd9-4c88-b7a5-a8fc328ac859 which can be used as unique global reference for Xarvester in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Sality

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sality.

Known Synonyms
Kookoo
Kukacka
Kuku
SalLoad
SaliCode
Sality
Sector
Internal MISP references

UUID 6fe5f49d-48b5-4dc2-92f7-8c94397b9c96 which can be used as unique global reference for Sality in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2008
Related clusters

To see the related clusters, click here.

Mariposa

The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets.

Internal MISP references

UUID f4878385-c6c7-4f6b-8637-08146841d2a2 which can be used as unique global reference for Mariposa in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2008

Conficker

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Conficker.

Known Synonyms
DownAdUp
DownAndUp
DownUp
Kido
Internal MISP references

UUID ab49815e-8ba6-41ec-9f51-8a9587334069 which can be used as unique global reference for Conficker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date November 2008
Related clusters

To see the related clusters, click here.

Waledac

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Waledac.

Known Synonyms
Waled
Waledpak
Internal MISP references

UUID 4e324956-3177-4c8f-b0b6-e3bc4c3ede2f which can be used as unique global reference for Waledac in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date November 2008

Maazben

A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.

Internal MISP references

UUID a461f744-ab52-4a78-85e4-aedca1303a4c which can be used as unique global reference for Maazben in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Onewordsub

Internal MISP references

UUID 4cc97d31-c9ab-4682-aae4-21dcbc02118f which can be used as unique global reference for Onewordsub in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Gheg

Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server – they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gheg.

Known Synonyms
Mondera
Tofsee
Internal MISP references

UUID ca11e3f2-cda1-45dc-bed1-8708fa9e27a6 which can be used as unique global reference for Gheg in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Nucrypt

Internal MISP references

UUID ec9917f4-006b-4a32-9a58-c03b5c85abe4 which can be used as unique global reference for Nucrypt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Wopla

Internal MISP references

UUID b2ec8e6b-414d-4d76-b51c-8ba3eee2918d which can be used as unique global reference for Wopla in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Asprox

The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Asprox.

Known Synonyms
Aseljo
Badsrc
Danmec
Hydraflux
Internal MISP references

UUID 0d58f329-1356-468c-88ab-e21fbb64c02b which can be used as unique global reference for Asprox in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2008
Related clusters

To see the related clusters, click here.

Spamthru

Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Spamthru.

Known Synonyms
Covesmer
Spam-DComServ
Xmiler
Internal MISP references

UUID 3da8c2f9-dbbf-4825-9010-2261b2007d22 which can be used as unique global reference for Spamthru in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Gumblar

Gumblar is a malicious JavaScript trojan horse file that redirects a user's Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.

Internal MISP references

UUID 5b83d0ac-3661-465e-b3ab-ca182d1eacad which can be used as unique global reference for Gumblar in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2008

BredoLab

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BredoLab.

Known Synonyms
Oficla
Internal MISP references

UUID 65a30580-d542-4113-b00f-7fab98bd046c which can be used as unique global reference for BredoLab in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date May 2009
Related clusters

To see the related clusters, click here.

Grum

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's 3rd largest botnet, responsible for 18% of worldwide spam traffic.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Grum.

Known Synonyms
Reddyb
Tedroo
Internal MISP references

UUID a2a601db-2ae7-4695-ac0c-0a3ea8822356 which can be used as unique global reference for Grum in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2009

Mega-D

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mega-D.

Known Synonyms
Ozdok
Internal MISP references

UUID c12537fc-1de5-4d12-ae36-649f32919059 which can be used as unique global reference for Mega-D in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Kraken

The Kraken botnet was the world's largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kraken.

Known Synonyms
Kracken
Internal MISP references

UUID e721809b-2785-4ce3-b95a-7fde2762f736 which can be used as unique global reference for Kraken in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Festi

The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Festi.

Known Synonyms
Spamnost
Internal MISP references

UUID b76128e3-cea5-4df8-8d23-d9f3305e5a14 which can be used as unique global reference for Festi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date August 2009

Vulcanbot

Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.

Internal MISP references

UUID dfd17a50-65df-4ddc-899e-1052e5001a1f which can be used as unique global reference for Vulcanbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2010

LowSec

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LowSec.

Known Synonyms
FreeMoney
LowSecurity
Ring0.Tools
Internal MISP references

UUID 533e3474-d08d-4d02-8adc-3765750dd3a3 which can be used as unique global reference for LowSec in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date January 2010

TDL4

Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system's network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TDL4.

Known Synonyms
Alureon
TDSS
Internal MISP references

UUID 61a17703-7837-4cc9-b022-b5ed6b30efc1 which can be used as unique global reference for TDL4 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010
Related clusters

To see the related clusters, click here.

Zeus

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeus.

Known Synonyms
Gorhax
Kneber
PRG
Wsnpoem
Zbot
ZeuS
Internal MISP references

UUID e878d24d-f122-48c4-930c-f6b6d5f0ee28 which can be used as unique global reference for Zeus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Kelihos

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kelihos.

Known Synonyms
Hlux
Internal MISP references

UUID 07b10419-e8b5-4b5f-a179-77fc9b127dc6 which can be used as unique global reference for Kelihos in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010
Related clusters

To see the related clusters, click here.

Ramnit

Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.

Internal MISP references

UUID 8ed81090-f098-4878-b87e-2d801b170759 which can be used as unique global reference for Ramnit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2011
Related clusters

To see the related clusters, click here.

Zer0n3t

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zer0n3t.

Known Synonyms
Fib3rl0g1c
Zer0Log1x
Zer0n3t
Internal MISP references

UUID 417c36fb-fff7-40df-8387-07169113b9b4 which can be used as unique global reference for Zer0n3t in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2013

Chameleon

The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).

Internal MISP references

UUID 3084cd06-e415-4ff0-abd0-cf8fbf67c53c which can be used as unique global reference for Chameleon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012

Mirai

Mirai (Japanese for "the future", 未来) is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.

Internal MISP references

UUID fcdfd4af-da35-49a8-9610-19be8a487185 which can be used as unique global reference for Mirai in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date August 2016
Related clusters

To see the related clusters, click here.

XorDDoS

XOR DDOS is a Linux trojan used to perform large-scale DDoS

Internal MISP references

UUID 5485d149-79b5-451e-b48c-a020eced3515 which can be used as unique global reference for XorDDoS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Satori

According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Satori.

Known Synonyms
Okiru
Internal MISP references

UUID e77cf495-632a-4459-aad1-cdf29d73683f which can be used as unique global reference for Satori in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

BetaBot

Internal MISP references

UUID 3d7c771b-b175-41c9-8ba1-904ef29715fa which can be used as unique global reference for BetaBot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date April 2017
Related clusters

To see the related clusters, click here.

Hajime

Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown. It is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).

Internal MISP references

UUID 383fd414-3805-11e8-ac12-c7b5af38ff67 which can be used as unique global reference for Hajime in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Muhstik

The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS. At the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware. Crooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online. The Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.

Internal MISP references

UUID 8364b00c-46c6-11e8-a78e-9bcc5609574f which can be used as unique global reference for Muhstik in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Hide and Seek

Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device. The reset operation flushed the device's flash memory, where the device would keep all its working data, including IoT malware strains. But today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices. By placing itself in this menu, the device's OS will automatically start the malware's process after the next reboot.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hide and Seek.

Known Synonyms
HNS
Hide 'N Seek
Internal MISP references

UUID cdf1148c-5358-11e8-87e5-ab60d455597f which can be used as unique global reference for Hide and Seek in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Mettle

Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.

Internal MISP references

UUID 77a308b6-575d-11e8-89a9-3f6a2a9c08bb which can be used as unique global reference for Mettle in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Owari

IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot. Author is called WICKED

Internal MISP references

UUID f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc which can be used as unique global reference for Owari in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2018
Related clusters

To see the related clusters, click here.

Brain Food

Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.

Internal MISP references

UUID f293c553-8b03-40b3-a125-f9ae66a72d99 which can be used as unique global reference for Brain Food in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2018

Pontoeb

The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pontoeb.

Known Synonyms
N0ise
Internal MISP references

UUID bc60de19-27a5-4df8-a835-70781b923125 which can be used as unique global reference for Pontoeb in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2011

Trik Spam Botnet

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Trik Spam Botnet.

Known Synonyms
Trik Trojan
Internal MISP references

UUID c68d5e64-7485-11e8-8625-2b14141f0501 which can be used as unique global reference for Trik Spam Botnet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Madmax

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Madmax.

Known Synonyms
Mad Max
Internal MISP references

UUID 7a6fcec7-3408-4371-907b-cbf8fc931b66 which can be used as unique global reference for Madmax in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Pushdo

Internal MISP references

UUID 94d12a03-6ae8-4006-a98f-80c15e6f95c0 which can be used as unique global reference for Pushdo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Simda

Internal MISP references

UUID 347e7a64-8ee2-487f-bcb3-ca7564fa836c which can be used as unique global reference for Simda in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Virut

Internal MISP references

UUID cc1432a1-6580-4338-b119-a43236528ea1 which can be used as unique global reference for Virut in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Beebone

Internal MISP references

UUID 49b13880-9baf-4ae0-9171-814094b03d89 which can be used as unique global reference for Beebone in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Bamital

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bamital.

Known Synonyms
Agent-OCF
Mdrop-CSK
Internal MISP references

UUID 07815089-e2c6-4084-9a62-3ece7210f33f which can be used as unique global reference for Bamital in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Gafgyt

Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gafgyt.

Known Synonyms
Bashlite
Internal MISP references

UUID 40795af6-b721-11e8-9fcb-570c0b384135 which can be used as unique global reference for Gafgyt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Sora

Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora's original author soon moved on to developing the Mirai Owari version, shortly after Sora's creation.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sora.

Known Synonyms
Mirai Sora
Internal MISP references

UUID 025ab0ce-bffc-11e8-be19-d70ec22c5d56 which can be used as unique global reference for Sora in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Torii

we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.

Internal MISP references

UUID 92f38212-94e2-4d70-9b5e-e977eb1e7b79 which can be used as unique global reference for Torii in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Persirai

A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.

Internal MISP references

UUID e3e91fe2-c7ce-11e8-8e85-6bc15cd2a63c which can be used as unique global reference for Persirai in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Chalubo

Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo. The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.

Internal MISP references

UUID f387e30a-dc48-11e8-b9f4-370bc63008bf which can be used as unique global reference for Chalubo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

AESDDoS

Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.

Internal MISP references

UUID 809d100b-d46d-40f4-b498-5371f46bb9d6 which can be used as unique global reference for AESDDoS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Arceus

A set of DDoS botnet.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Arceus.

Known Synonyms
Katura
MyraV
myra
Internal MISP references

UUID e23d0f90-6dc5-46a5-b38d-06f176b7c601 which can be used as unique global reference for Arceus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value

Mozi

Mozi infects new devices through weak telnet passwords and exploitation.

Internal MISP references

UUID ea2906a5-d493-4afa-b770-436c0c246c78 which can be used as unique global reference for Mozi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UPAS-Kit

UPAS-Kit was advertised by auroras a/k/a vinny in middle of june 2012 via exploit.in. Upas is the predecessor of Kronos. Marcus Hutchins helped create and, in partnership with another, sell malicious computer code, a/k/a malware, known as UPAS-Kit.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UPAS-Kit.

Known Synonyms
Rombrast
Internal MISP references

UUID 099223a1-4a6e-4024-8e48-dbe199ec7244 which can be used as unique global reference for UPAS-Kit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Phorpiex

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Phorpiex.

Known Synonyms
Trik
Internal MISP references

UUID 26339b2e-7d82-4844-a9f0-81b0dd85e37c which can be used as unique global reference for Phorpiex in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DDG

First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).

Internal MISP references

UUID 25a745c8-0d2a-40e1-9bb2-3704d1bd49e3 which can be used as unique global reference for DDG in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Glupteba

A multi-component botnet targeting Windows Computer. Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. The botnet has been observed targeting victims worldwide, including the US, India, Brazil and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS).

Internal MISP references

UUID 37c5d3ad-9057-4fcb-9fb3-4f7e5377a304 which can be used as unique global reference for Glupteba in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Elknot

DDoS Botnet

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Elknot.

Known Synonyms
BillGates
Linux/BillGates
Internal MISP references

UUID 98392af9-d4a4-4e63-aded-f802a0fa6ef7 which can be used as unique global reference for Elknot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Advanced modular botnet that is reportedly linked to the Sandworm or Voodoo Bear advanced persistent threat (APT) group.

Internal MISP references

UUID b184c123-6d3e-4152-8c2e-72e3e61d2f5a which can be used as unique global reference for Cyclops Blink in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Abcbot

Botnet

Internal MISP references

UUID bcc60155-e824-4adb-a906-eec43c2d1ae8 which can be used as unique global reference for Abcbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Ripprbot

Botnet

Internal MISP references

UUID 3e40c1af-51f5-4b02-b189-74567125c6e0 which can be used as unique global reference for Ripprbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

EnemyBot

In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.

This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.

It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.

Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.

Internal MISP references

UUID a5a067c9-c4d7-4f33-8e6f-01b903f89908 which can be used as unique global reference for EnemyBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Qbot

Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Qbot.

Known Synonyms
Pinkslipbot
QakBot
Internal MISP references

UUID 421a3805-7741-4315-82c2-6c9aa30d0953 which can be used as unique global reference for Qbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Dark.IoT

This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.

Internal MISP references

UUID 505c6a54-a701-4a4b-85d4-0f2038b7b46a which can be used as unique global reference for Dark.IoT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

KmsdBot

Akamai Security Research has observed a new golang malware which they named KmsdBot. The malware scans for open SSH ports and performs a simple dictionary attack against it. The researchers from Akamai monitored only DDoS activity, but discovered also the functionality to launch cryptomining. The malware has varied targets including the gaming industry, technology industry, and luxury car manufacturers.

Internal MISP references

UUID b6919400-9b16-48ae-8379-fab26a506e32 which can be used as unique global reference for KmsdBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

HinataBot

Akamai researchers on the Security Intelligence Response Team (SIRT) have discovered a new Go-based, DDoS-focused botnet. The malware appears to have been named “Hinata” by the malware author after a character from the popular anime series, Naruto. We are calling it “HinataBot.” Looks like an attempt to rewrite Mirai in Go. The threat actors behind HinataBot originally distributed Mirai binaries.

Internal MISP references

UUID 040f2e89-b8be-4150-9426-c30f75e858a2 which can be used as unique global reference for HinataBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

3ve

3ve, pronounced as “Eve”, was a botnet that was halted in late 2018. 3ve utilized the malware packages Boaxxe and Kovter to infect a network of PCs. They were spread through emails and fake downloads, and once infected, the bots would generate fake clicks on online advertisements. The clicks would be used on fake websites, which hosted ads and then absorbed the ad revenue from the false impressions. Bots were able to mimic desktop and mobile traffic in order to evade detection, and went through several evolutions of tactics to grow over time. At its peak, the botnet controlled more than one million residential and corporate IP-addresses, largely within Europe and North America.

Internal MISP references

UUID 43db3e92-8c98-11ee-b9d1-0242ac120002 which can be used as unique global reference for 3ve in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2018

7777-Botnet

7777-Botnet has been observed brute forcing Microsoft Azure instances via Microsoft Azure PowerShell bruteforcing. The botnet has a unique pattern of opening port 7777 on infected devices, returning an “xlogin:” message. The botnet has been used for low-volume attacks against targets of all industry sectors at a global scale, almost exclusively targeting C-Level employee logins. Due to the very low volume of around 2–3 login requests per week, the botnet is able to evade most security solutions.

Internal MISP references

UUID 9b3699d1-00bf-4f37-8e67-c4548b5c829a which can be used as unique global reference for 7777-Botnet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Amadey

Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called tasks) for all or specifically targeted computers compromised by the malware.

Internal MISP references

UUID 063e95fc-8c98-11ee-b9d1-0242ac120002 which can be used as unique global reference for Amadey in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date October 2018

AndroidBauts

AndroidBauts botnet is a network of infected Android devices that are used for promoting advertisements to users online. At one point, the number of infected devices was more than 550,000. The creators of the AndroidBauts botnet are able to gather data regarding the compromised devices - both software and hardware.

Internal MISP references

UUID a9e34144-8c98-11ee-b9d1-0242ac120002 which can be used as unique global reference for AndroidBauts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Andromeda

Andromeda botnet, also known as Gamarue or Wauchos, was first introduced to the public in 2011. During this time it was used to distribute large quantities of malware. According to Microsoft the Andromeda botnet was used to spread more than 80 malware families including ransomware, worms, and more. Andromeda is a modular malware, meaning additional components can be purchased to provide extra functionality.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Andromeda.

Known Synonyms
Gamarue
Wauchos
Internal MISP references

UUID 520d2484-8c99-11ee-b9d1-0242ac120002 which can be used as unique global reference for Andromeda in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2011

ArrkiiSDK

ArrkiiSDK is potentially unwanted application (PUA) for Android devices. Its functions include unauthorised user tracking, ad fraud and the silent installation of additional applications without the user's permission. ArrkiiSDK relies on the user actively installing an infected application, which is normally hidden within another software package that appears completely harmless.

Internal MISP references

UUID b3fdb226-8c99-11ee-b9d1-0242ac120002 which can be used as unique global reference for ArrkiiSDK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Avalanche

Avalanche refers to a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits. Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims’ compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims’ computers. In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise. Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.

Internal MISP references

UUID da635b2e-22f3-4374-8fca-67c4bd3cb978 which can be used as unique global reference for Avalanche in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Bayrob

Bayrob evolved from a backdoor trojan used for fraud into a cryptocurrency miner. Symantec discovered multiple versions of Bayrob malware, and witnessed Bayrob as it morphed from online fraud to a 300,000+ botnet for cryptocurrency mining.

Internal MISP references

UUID 693e1ce8-8c9a-11ee-b9d1-0242ac120002 which can be used as unique global reference for Bayrob in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Bedep

Bedep has been mostly observed in ad-fraud campaigns, although it can also generally load modules for different tasks. It was dropped by the Angler Exploit Kit.

Internal MISP references

UUID b97f3868-8c9a-11ee-b9d1-0242ac120002 which can be used as unique global reference for Bedep in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Bolek

Bolek is a malware from the Kbot/Carberp family. It is being subject to frequent updates and has malicious capabilities which include self-spreading through USB and network shares, TOR network access, screen captures and web injects, and uses asymmetric cryptography to secure network communications.

Internal MISP references

UUID 79f62503-b947-40fe-91f3-4a5d567df3c6 which can be used as unique global reference for Bolek in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date May 2016
Related clusters

To see the related clusters, click here.

Carna

The Carna botnet was a botnet of 420,000 devices created by an anonymous hacker to measure the extent of the Internet. The data was collected by infiltrating Internet devices, especially routers, that used a default password or no password at all.

Internal MISP references

UUID 152cdb68-8ca3-11ee-b9d1-0242ac120002 which can be used as unique global reference for Carna in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012

Code Shikara

Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering and capable of spying on users' browsing activities, meanwhile stealing their personal online/offline information and/or credentials.

Internal MISP references

UUID 8b21d8e6-8ca3-11ee-b9d1-0242ac120002 which can be used as unique global reference for Code Shikara in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2011
Related clusters

To see the related clusters, click here.

Condi

DDoS-as-a-service botnet calling itself Condi. This malware employs several techniques to keep itself running in an infected system. At the same time, it also prevents infections from other botnets by attempting to terminate their processes. Typical to Mirai-based botnets, this malware cannot survive a system reboot.

Internal MISP references

UUID 0913ea8c-8ca4-11ee-b9d1-0242ac120002 which can be used as unique global reference for Condi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2023

Cooee

Cooee is a trojan pre-installed on some Phillips smartphones that displays annoying advertisements and downloads and installs different software without user knowledge.

Internal MISP references

UUID cbad44ed-b4d0-42c9-acfc-ee58ff85da99 which can be used as unique global reference for Cooee in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016

Coreflood

Coreflood is a trojan horse and botnet created by a group of Russian hackers and released in 2010. The FBI included on its list of infected systems approximately 17 state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately 30 colleges or universities; approximately 20 hospital or health care companies; and hundreds of businesses. It is present on more than 2.3 million computers worldwide and as of May 2011 remains a threat.

Internal MISP references

UUID 4f24b1dd-01a0-43cf-a0bb-eb2d70f727c1 which can be used as unique global reference for Coreflood in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010

Crackonosh

In 2021 Crackonosh has been found in 222,000 compromised computers that were used to download illegal, torrented versions of popular video games. Crackonosh successfully operated for years because it had built-in mechanisms to disable security software and updates, which made it difficult for users to detect and remove the program. The malware is thought to have originated in the Czech Republic, but it had a global reach.

Internal MISP references

UUID 4ccad4ee-3bff-41ac-8d05-0d5acbaaefbe which can be used as unique global reference for Crackonosh in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010

FluBot

FluBot is a remote control and info stealer malware. It has abilities to read and send SMS message, delete app, and execute arbitrary commands. It is often distributed through SMS messages. PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FluBot.

Known Synonyms
Cabassous
FakeChat
Internal MISP references

UUID 4fc7daf0-c88f-4bbd-bf3c-7189ca1fdc69 which can be used as unique global reference for FluBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2021

FritzFrog

FritzFrog is a decentralized botnet that uses P2P protocols to distribute control over all of its nodes, thereby avoiding having one controller or single point of failure.

Internal MISP references

UUID fc903c58-145a-4b68-98e6-3f496c5c1a19 which can be used as unique global reference for FritzFrog in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Gootkit

Gootkit is a trojan that steals confidential information and allows criminals to take control of infected systems remotely. Gootkit can also be used to install additional malware, such as Emotet. This botnet is a type of malware bot that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information and telemetry back to the control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in a Distributed Denial of Service (DDoS) attack, or locking and encrypting the contents of your computer and demanding payment for its safe return.

Internal MISP references

UUID 410685be-999d-472e-8fd9-15366b6031a1 which can be used as unique global reference for Gootkit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Great Cannon

The Great Cannon of China is an Internet attack tool that is used by the Chinese government to launch distributed denial-of-service attacks on websites by performing a man-in-the-middle attack on large amounts of web traffic and injecting code which causes the end-user's web browsers to flood traffic to targeted websites.[1] According to the researchers at the Citizen Lab, the International Computer Science Institute, and Princeton University's Center for Information Technology Policy, who coined the term, the Great Cannon hijacks foreign web traffic intended for Chinese websites and re-purposes them to flood targeted web servers with enormous amounts of traffic in an attempt to disrupt their operations.

Internal MISP references

UUID b56c8516-1f1c-42f6-8b89-37d90f50eb35 which can be used as unique global reference for Great Cannon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Hail Mary Cloud

The Hail Mary Cloud was, or is, a password guessing botnet, which used a statistical equivalent to brute force password guessing. The botnet ran from possibly as early as 2005, and certainly from 2007 until 2012 and possibly later. The botnet was named and documented by Peter N. M. Hansteen. The principle is that a botnet can try several thousands of more likely passwords against thousands of hosts, rather than millions of passwords against one host. Since the attacks were widely distributed, the frequency on a given server was low and was unlikely to trigger alarms. Moreover, the attacks come from different members of the botnet, thus decreasing the effectiveness of both IP based detection and blocking.

Internal MISP references

UUID 5ae51675-518d-4e16-b339-2b029f5055e0 which can be used as unique global reference for Hail Mary Cloud in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Joker

Joker is a trojan that is included in several unsuspecting apps that have been offered via the Google Play Store, among others. The malware silently interacts with ad networks to perform clicks on ad banners and subscribe to paid premium services. To do this, Joker is able to read SMS messages, contact lists and device information from the victim system. It collects data from infected systems, intercepts sensitive communications and transmits the information to a remote attacker.

Internal MISP references

UUID 879bbd30-4f89-4dcb-a225-ecfed25a552f which can be used as unique global reference for Joker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

KBOT

KBOT penetrates users’ computers via the Internet or a local network, or from infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. For the same purpose, KBOT can download additional stealer modules that harvest and send to the C&C server almost full information about the user: passwords/logins, cryptowallet data, lists of files and installed applications, and so on.

Internal MISP references

UUID 0cac5b2b-a06d-40c1-b192-159148dd0132 which can be used as unique global reference for KBOT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Linux.Darlloz

Linux.Darlloz is a worm which infects Linux embedded systems. Linux.Darlloz was first discovered by Symantec in 2013.[3] Linux.Darlloz targets the Internet of things and infects routers, security cameras, set-top boxes by exploiting a PHP vulnerability. The worm was based on a Proof of concept code that was released in October 2013. inux.Darlloz utilizes vulnerability (CVE-2012-1823) to exploit systems in order to compromise systems. Linux.Darlloz was later found in March 2014 to have started mining crypto currencies such as Mincoin and Dogecoin. Linux.Aidra, the malware that Linux.Darlloz attempts usurp - like some of the variants of Darlloz, Linux.Aidra targets smaller devices, specifically cable and DSL modems. The worm adds them to a botnet, which can be utilized by the attackers to perform DDoS attacks.

Internal MISP references

UUID 3bc577c9-2081-4d13-a77d-91497439e634 which can be used as unique global reference for Linux.Darlloz in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Marcher

Marcher is a banking trojan for Android devices. Researchers at Dutch security firm Securify have conducted a detailed analysis of the Android banking Trojan known as Marcher and discovered that a single botnet has managed to steal a significant number of payment cards. Securify has identified nine Marcher botnets over the last 6 months, and each of them has been provided with new modules and targeted web injects by the Trojan’s creators.

Internal MISP references

UUID 3b27313a-3122-4f7e-970e-4dc50f90526d which can be used as unique global reference for Marcher in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Matsnu

Matsnu is a malware downloader. The malware downloaded may include the banking trojans Citadel and URLZone/Bebloh. Matsnu can also be expanded with additional functions using plug-ins. One of these plug-ins is designed to capture access data for e-mail accounts and FTP programs and pass this information to the operator of the malware.

Internal MISP references

UUID f69bc11f-871b-49c6-a2d9-66ac6a4a8ea6 which can be used as unique global reference for Matsnu in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Methbot

Methbot was an advertising fraud scheme. Methbot was first tracked in 2015 by cybersecurity firm White Ops, and the botnet saw rapidly increased activity in 2016. The botnet originated in Russia (though it was not state sponsored), and utilized foreign computers and networks in Europe and North America. The infrastructure consisted of 571,904 dedicated IPs, 6,000 domains, and 250,267 distinct URLs, each of which could only house a video ad, and used variants of the names of famous publishers to fool those looking into the domains. This led the operators to game the system, leading ad selection algorithms to select these fake web pages over larger corporate pages from legitimate companies, and charge advertisers at a premium. About 570,000 bots were used to execute clicks on those websites, “watching” up to 300 million video ads a day while the bots mimicked normal computer user behavior. Estimated clicks per day generally reached between 200 and 300 million per day. The botnet relied on data servers instead of more traditional botnets that rely on infected PCs and mobile devices.

Internal MISP references

UUID 24341069-4a99-4da7-b89c-230a788bb9d6 which can be used as unique global reference for Methbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2015

Metulji

The Metulji botnet, discovered in June 2011, is a botnet mainly involved in cyberscamming and denial of service attacks. Before the botnet itself was dismantled, it consisted of over 12 million individual zombie computers infected with the Butterfly Bot, making it, as of June 2011, the largest known botnet. It is not known what type of computers are vulnerable, or how to tell if a computer is a part of this botnet.

Internal MISP references

UUID e3727560-aa99-47fb-8639-8bcf9c722168 which can be used as unique global reference for Metulji in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2011

Mevade

The Mevade Botnet, also known as Sefnit or SBC, is a massive botnet. Its operators are unknown and its motives seems to be multi-purpose. In late 2013 the Tor anonymity network saw a very sudden and significant increase in users, from 800,000 daily to more than 5,000,000. A botnet was suspected and fingers pointed at Mevade. Trend Micro reported that its Smart Protection Network saw a tor module being distributed to Mevade Trojans.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mevade.

Known Synonyms
SBC
Sefnit
Internal MISP references

UUID 9531f3c0-edb4-4bc9-9b4a-5b55d482b235 which can be used as unique global reference for Mevade in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

MobiDash

MobiDash is a piece of adware for Android devices. The user is shown advertisements without their consent. Mobidash can also make calls in the background.

Internal MISP references

UUID 8b1df851-125e-41dc-b91d-96b7d78825ca which can be used as unique global reference for MobiDash in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Mutabaha

Mutabaha is a Trojan for Windows devices. Outfire, a Chromium-based browser, is downloaded and installed. This pretends to be the version of the Google Chrome browser. Mutabaha is able to drain data and manipulate advertisements. Mutabaha is downloaded and installed by another malware. As a rule, this dropper is removed after the malware has been installed, making it almost impossible to trace the infection.

Internal MISP references

UUID ee68d82a-c0c1-472a-a14b-127c4f811161 which can be used as unique global reference for Mutabaha in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

MyDoom

MyDoom is a malicious program that opens a backdoor to the infected device. Through this backdoor the attacker can gain access to the system and carry out further actions. The attack possibilities are diverse and range from information theft to the reloading of additional malware. MyDoom adds infected computers to a botnet and then carries out distributed denial of service (DDoS) attacks. When the worm takes control over the victim’s OS, it then opens various ports and provides a backdoor to invite even more malware in.

Internal MISP references

UUID 51f0388c-6984-40ac-9cbc-15c5f8685005 which can be used as unique global reference for MyDoom in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Necurs

The Necurs botnet is a distributor of many pieces of malware, most notably Locky. Around June 1, 2016, the botnet went offline, perhaps due to a glitch in the command and control server running Necurs. However, three weeks later, Jon French from AppRiver discovered a spike in spam emails, signifying either a temporary spike in the botnet's activity or return to its normal pre-June 1 state. In a 2020 report, it was noted to have particularly targeted India, Southeast Asia, Turkey and Mexico.

Internal MISP references

UUID 92e12541-a834-49e6-857e-d36847551a3c which can be used as unique global reference for Necurs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Nitol

The Nitol botnet mostly involved in spreading malware and distributed denial-of-service attacks. The Nitol Botnet was first discovered around December 2012, with analysis of the botnet indicating that the botnet is mostly prevalent in China where an estimate 85% of the infections are detected. In China the botnet was found to be present on systems that came brand-new from the factory, indicating the trojan was installed somewhere during the assembly and manufacturing process. According to Microsoft the systems at risk also contained a counterfeit installation of Microsoft Windows. On 10 September 2012 Microsoft took action against the Nitol Botnet by obtaining a court order and subsequently sinkholing the 3322.org domain. The 3322.org domain is a Dynamic DNS which was used by the botnet creators as a command and control infrastructure for controlling their botnet. Microsoft later settled with 3322.org operator Pen Yong, which allowed the latter to continue operating the domain on the condition that any subdomains linked to malware remain sinkholed.

Internal MISP references

UUID ff0e33a7-0c68-4c53-bfc2-8d22eca09748 which can be used as unique global reference for Nitol in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012

Nymaim

Nymaim was discovered in 2013. At that time it was only a dropper used to distribute TorrentLocker. In February 2016 it became popular again after incorporating leaked ISFB code, dubbed Goznym. When dropper obtains C&C address, it starts real communication. It downloads two important binaries and a lot more: payload – banker module (responsible for web injects – passive member of botnet); optional bot module (it is trying to open ports on a router and become an active part of a botnet. When it fails to do so, it removes itself from a system).

Internal MISP references

UUID 629cae99-a671-4162-a080-b971de54d7a1 which can be used as unique global reference for Nymaim in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2013

PBot

PBot is a P2P botnet derived from the Mirai source code. PBot performs MITB (man-in-the-browser) attacks and injects various scripts into legitimate websites. Its capabilities may go beyond simple injections of ads, depending on the intentions of its distributors.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PBot.

Known Synonyms
PythonBot
Internal MISP references

UUID d7047c78-1ace-4e53-93c9-a867996914ef which can be used as unique global reference for PBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Pirrit

Pirrit is a potentially unwanted application (PUA) for Windows and MacOS devices. It displays additional pop-ups and advertisements when the device is used. Pirrit downloads other malicious programs from a server and runs these programs; it can also manipulate system files.

Internal MISP references

UUID 42fc0e31-60c0-4a7d-8ad8-1121bb65c629 which can be used as unique global reference for Pirrit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Pitou

Pitou is a trojan for Windows devices. Its functions are to steal passwords and collect various pieces of information about the mobile phone, such as its location and contacts.

Internal MISP references

UUID 76ed7f49-6f18-4e86-a429-7aab82468ef6 which can be used as unique global reference for Pitou in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Prometei

Prometei is a cryptocurrency-mining botnet. Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary's part. Prometei is just one of these types of networks that focuses on Monero mining.

Internal MISP references

UUID 64d360dd-a48f-4b85-98ea-b2b5dcf81898 which can be used as unique global reference for Prometei in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2020

PrizeRAT

PrizeRAT is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords and the silent installation of additional applications without the user's permission. As the malware is part of the firmware of the device, it is not generally recognised by anti-virus solutions for Android. The risk affects a limited group of mobile end devices made by Chinese manufacturers for the low-price segment.

Internal MISP references

UUID 440889c8-4986-4568-8fe4-f560d0d28cd7 which can be used as unique global reference for PrizeRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Pushlran

Pushlran is a potentially unwanted application (PUA) for Android devices. It displays additional pop-ups and advertisements when the device is used. The app collects data from infected systems, intercepts sensitive communication and passes this information to a remote attacker.

Internal MISP references

UUID ef861a3e-b81c-43ea-8fad-03633219302f which can be used as unique global reference for Pushlran in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Pykspa

Pykspa is a piece of malware that can be used to remotely control infected systems. It also enables attackers to download other malware or extract personal data. There are a number of versions of this malware and it has been developed over a long period of time. Some of the most recent versions of Pykspa are able to deactivate security systems such as anti-virus programs.

Internal MISP references

UUID c49b614b-c158-42e4-91e5-c96c7573b510 which can be used as unique global reference for Pykspa in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Qsnatch

Qsnatch is a trojan for Linux devices that primarily attacks network drives manufactured by QNAP. Its functions include stealing access data and opening backdoors to infected devices. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.

Internal MISP references

UUID 513ec176-3772-40be-be88-3bcd08382f54 which can be used as unique global reference for Qsnatch in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Remaiten

Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system. Remaiten combines the features of the Tsunami and LizardStresser (aka Torlus) malware families. The command and control for Remaiten are handled by IRC communications. Additionally the command and control is done by an actual IRC channel rather than only the IRC protocol. This is an improvement over bots such as Tsunami and Torlus making Remaiten a greater threat than both combined. To avoid detection, Remaiten tries to determine the platform of a device to download the architecture-appropriate component from the command & control server. Once Remaiten infects a device it is able to perform actions such as launching distributed denial of service attacks or download more malware on a device.[5] Remaiten is able to scan and remove competing bots on a system compromised by it.

Internal MISP references

UUID 44460f62-85b9-4a36-99f7-553f58231ae2 which can be used as unique global reference for Remaiten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Retadup

Retadup is a worm affecting Windows machines primarily throughout Latin America. Its objective is to achieve persistence on its victims’ computers, to spread itself far and wide and to install additional malware payloads on infected machines. In the vast majority of cases, the installed payload is a piece of malware mining cryptocurrency on the malware authors’ behalf. The French law enforcement agency, National Gendarmerie, in 2019 announced the successful takedown of one of the largest wide-spread RETADUP botnet malware and how it remotely disinfected more than 850,000 computers worldwide with the help of researchers.

Internal MISP references

UUID a860f4b7-68e9-4252-8ef5-2bb2ce0bc790 which can be used as unique global reference for Retadup in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

RootSTV

RootSTV is a trojan and downloader for Android devices, mainly SmartTVs. RootSTV downloads additional malicious programs from a server and executes them without the user's consent.

Internal MISP references

UUID 0170e672-7459-4bb3-8c1f-dc70d6249843 which can be used as unique global reference for RootSTV in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Rovnix

Rovnix is a data-stealing trojan that spreads by email and infects Windows PCs. Initial versions of the malware featured the extraction of data from compromised machines using unencrypted comms but more recently this has evolved to feature encryption during broadcast. The malware spread via e-mails infected with the Andromeda downloader. The infected attachment gets executed by an unwary user and this in turn downloads and runs Rovnix. The whole attack is designed to steal financial information, mainly credit card numbers. A new cluster of infections by the Rovnix Trojan has infected more than 130,000 Windows computers in the UK alone.

Internal MISP references

UUID 3c4b55a6-fff0-4faf-9f7f-19f18d35223f which can be used as unique global reference for Rovnix in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Slenfbot

Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Internal MISP references

UUID 03d4ec41-3042-44fa-8de0-127981e21e63 which can be used as unique global reference for Slenfbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Stacheldraht

Stacheldraht is malware which performs a distributed denial-of-service (DDoS) attack. Stacheldraht uses a number of different denial-of-service (DoS) attack methods, including Ping flood, UDP flood, TCP SYN flood, and Smurf attack. Further, it can detect and automatically enable source address forgery. Adding encryption, it combines features of Trinoo and of Tribe Flood Network. The software runs on both Linux and Solaris.

Internal MISP references

UUID c2052368-e9f1-494c-8f23-a8d8a7cbd97b which can be used as unique global reference for Stacheldraht in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Suppobox

Suppobox is a trojan that intercepts any network traffic connected with a monetary transaction when users buy or sell products online. The malware focuses on auction websites.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Suppobox.

Known Synonyms
Bayrob
Nivdort
Internal MISP references

UUID de003ee4-ab51-44fb-891d-133a1efaa7d7 which can be used as unique global reference for Suppobox in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Triada

Triada is a trojan for Android devices. Triada's primary function is to record text messages. For example, it intercepts in-app purchases via text message and redirects payments made. Triada downloads other malware from a server and runs these programs.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Triada.

Known Synonyms
APK. Triada
Internal MISP references

UUID 0f1cc805-dd9c-483d-b6b8-8c1b67861a7d which can be used as unique global reference for Triada in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Trinoo

Trinoo is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Trinoo.

Known Synonyms
trin00
Internal MISP references

UUID 99a0484c-c252-4ce8-8e7c-413f58a373b9 which can be used as unique global reference for Trinoo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Zemra

Zemra is a DDoS Bot which was first discovered in underground forums in May 2012. Zemra is capable of HTTP and SYN Flood flooding and also has a simple Command & Control panel that is protected with 256-bit DES encryption for communicating with its command and control (C&C) server. Zemra also sends information such as Computer name, Language settings, and Windows version. It will send this data to a remote location on a specific date and time. It also opens a backdoor on TCP port 7710 to receive commands from a remote command-and-control server, and it is able to monitor devices, collect system information, execute files, and even update or uninstall itself if necessary.

Internal MISP references

UUID 67d3961e-675f-4e81-bf8b-5b2fa1606d3c which can be used as unique global reference for Zemra in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Ztorg

Ztorg is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords, the silent installation of additional applications without the user's permission, and the collection of data on the mobile phone, such as its location and contacts. Ztorg is a piece of malware that opens a backdoor to an infected device. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.

Internal MISP references

UUID 40cd57f6-39c9-4a9f-b4cf-de4762642bff which can be used as unique global reference for Ztorg in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value