Botnet renewal – Here is the February botnet
Eniko Toth

Botnet renewal – Here is the February botnet

Do you remember the new version of the Hello Peppa botnet? At the end of 2018, it was welcomed into 2019 slightly early, and the January botnet started to spread. Well, it wouldn’t be funny, if the botnet would still send the „J4nur4ry” in the Post Data when we are already over January…

So, here is the February botnet!

Despite the January botnet, this one was accurate and started on 1st February. The pike was on the next day, as you can see it from the chart below.

 

After that, it looked like it moved back, but on 17th Feb there was another pike. Let’s look closely to one of the requests sent by this botnet:

The only difference between this well-known botnet is in the Post Data. Now, as it’s February, we can see the F3bru4ry there and now they could spell it well. (Last time they had a typo in the J4nur4ry.) Other specifics of the botnet didn’t change.

  • Checks backdoors which have remain from a previous infection.
  • Uses the Mozilla/5.0 User Agent
  • The most targeted URLs are:
/7788.php
/8899.php
/9678.php
/conflg.php
/db.init.php
/db__.init.php
/db_session.init.php
/mx.php
/qq.php
/s.php
/sheep.php
/w.php
/wc.php
/wshell.php
/wuwu11.php
/xshell.php
/xw.php
/xx.php

Protection against the February botnet

The 404001 and 404002 WAF rules, which protects you against the Hello Peppa and the January botnet will work the same way against the February botnet too, so with BitNinja Pro, you don’t need to worry about getting hacked by this funny botnet.

What do you think? Will it be a habit to change this botnet from month to month? We’ll get the answer in March. ;)

Stay safe dear Ninja!

Share your ideas with us about this article

Previous posts

News from Threat Lab: 4+1 New SenseLog rules have been created
The new year inspired us and brought new vibes to our office. Our tech ninjas are developing several new badass features. Besides the new features, we are also improving our existing modules as well. Last week, the SenseLog module became enriched with 4 new rules and another rule has been updated. Here is a list of them: 1. Apache Magento Downloader (Rule ID: 80_1_021) 2. Apache WP Login Deprecated Firefox User Agents (Rule ID: 80_1_022) 3. Plesk Login Fail (Rule ID: 8443_1_001) 4. LFD Blocked (Rule ID: lfd_1_001) +1  Updated rule: Apache WP XML-RPC Suspicious User Agent (Rule...
Case Study - How BitNinja Supports Dreamscape Networks’ Mission
A few years ago, our web hosting company experienced heavy difficulties with the different kinds of cyberattacks. The things became so bad that we started to lose customers because they obviously perceived the consequences of the vulnerable servers. We couldn’t bear it anymore and decided to take over the control of the cyberwar. That’s how BitNinja was born 5 years ago. Our servers became safe and since then our web hosting company is rapidly growing, but that wasn’t enough for us. We have bigger dreams about a better future, where every server owner can forget all those headaches what we...