Introduction
Today I will be writing about a new notable RAT called H-Worm Plus Public, coded in Algeria by Mohamed Bennabdellah who goes by the online name of Houdini. This is the second VBScript worm with backdoor capabilities after Satanbot back in 2011, this worm spreads using flash drives by hiding all original files and replacing them with shortcuts that open the worm + the hidden file. This worm connects to the controller using the HTTP-POST method and sends the following information to the controller: Computer Name, IP Address, User Name, and Ping from the controller.
Why would an attacker choose this RAT?
It's simple bot storing, VBScript files are easy to obfuscate and they aren't detected by proactive defenses making them the best choice for a cyber criminal wanting to keep most of his bots. Attackers will then send the bots they have on the worm onto different RATs and botnets used for DDoSing, stealing passwords, etc.
Downsides
The downside to this RAT is that it uses the HTTP-POST method to send data to C&Cs is that the information is uncrypted making it easy for C&C trackers to locate the infection sources, also recently Avast's web shield is detecting this type of connection as malicious, and the shortcuts created on flash drives are also detected as malicious by most security products.
Notable H-Worm C&Cs
adamdam.zapto.org:1973
adolf2013.sytes.net:1183
adolf2013.sytes.net:1184
ahmad212.no-ip.biz:86
alii007.zapto.org:288
alii007.zapto.org:6611
am1.no-ip.info:1888
ballgogo.no-ip.biz:8088
basss.no-ip.info:2026
basss.no-ip.info:82
bg1337.zapto.org:1155
bog5151.zapto.org:991
dataday3.no-ip.org:83
docteuur13.no-ip.org:444
doda.redirectme.net:777
dzhacker15.no-ip.org:82
g00gle.sytes.net:4448
gerssy.zapto.org:6000
googlechrome.servegame.com:1990
hackediraq.no-ip.biz:88
hackeralbasrah.no-ip.biz:8888
hattouma12.no-ip.biz:88
hmode123.no-ip.biz:9090
karimstar.zapto.org:85
kiyoma200.no-ip.biz:1117
koko.myftp.org:9090
mda.no-ip.org:88
medolife.no-ip.biz:1247
microsoftsystem.sytes.net:4442
mootje01.no-ip.org:81
msgbox.zapto.org:5246
new-hacker.no-ip.org:81
njnj.redirectme.net:123
no99.zapto.org:81
noooot.no-ip.biz:443
pess-123.zapto.org:1604
pess-12.zapto.org:81
portipv6.redirectme.net:1991
ronaldo-123.no-ip.biz:2011
ronaldo-123.no-ip.biz:2013
sawdz.no-ip.biz:333
securityfocus.bounceme.net:1166
shagagy21.no-ip.biz:1605
sidisalim.myvnc.com:1888
silent9.zapto.org:7895
terminator9.zapto.org:1991
vpn-hacker.no-ip.biz:9090
xbox720.zapto.org:1991
xkiller.no-ip.info:1
yahia17.no-ip.org:1177
zeusback.no-ip.biz:223
zoia.no-ip.org:446
Related RATs
NJ-Worm Controller Underworld Final
Definitions
RAT - Remote Administration Tool (Botnet Controller)
Botnet - Network of compromised computers which can be used for a set of malicious activities
C&C - Command and control server
Bot - Infected Computer System
Today I will be writing about a new notable RAT called H-Worm Plus Public, coded in Algeria by Mohamed Bennabdellah who goes by the online name of Houdini. This is the second VBScript worm with backdoor capabilities after Satanbot back in 2011, this worm spreads using flash drives by hiding all original files and replacing them with shortcuts that open the worm + the hidden file. This worm connects to the controller using the HTTP-POST method and sends the following information to the controller: Computer Name, IP Address, User Name, and Ping from the controller.
Why would an attacker choose this RAT?
It's simple bot storing, VBScript files are easy to obfuscate and they aren't detected by proactive defenses making them the best choice for a cyber criminal wanting to keep most of his bots. Attackers will then send the bots they have on the worm onto different RATs and botnets used for DDoSing, stealing passwords, etc.
Downsides
The downside to this RAT is that it uses the HTTP-POST method to send data to C&Cs is that the information is uncrypted making it easy for C&C trackers to locate the infection sources, also recently Avast's web shield is detecting this type of connection as malicious, and the shortcuts created on flash drives are also detected as malicious by most security products.
Notable H-Worm C&Cs
adamdam.zapto.org:1973
adolf2013.sytes.net:1183
adolf2013.sytes.net:1184
ahmad212.no-ip.biz:86
alii007.zapto.org:288
alii007.zapto.org:6611
am1.no-ip.info:1888
ballgogo.no-ip.biz:8088
basss.no-ip.info:2026
basss.no-ip.info:82
bg1337.zapto.org:1155
bog5151.zapto.org:991
dataday3.no-ip.org:83
docteuur13.no-ip.org:444
doda.redirectme.net:777
dzhacker15.no-ip.org:82
g00gle.sytes.net:4448
gerssy.zapto.org:6000
googlechrome.servegame.com:1990
hackediraq.no-ip.biz:88
hackeralbasrah.no-ip.biz:8888
hattouma12.no-ip.biz:88
hmode123.no-ip.biz:9090
karimstar.zapto.org:85
kiyoma200.no-ip.biz:1117
koko.myftp.org:9090
mda.no-ip.org:88
medolife.no-ip.biz:1247
microsoftsystem.sytes.net:4442
mootje01.no-ip.org:81
msgbox.zapto.org:5246
new-hacker.no-ip.org:81
njnj.redirectme.net:123
no99.zapto.org:81
noooot.no-ip.biz:443
pess-123.zapto.org:1604
pess-12.zapto.org:81
portipv6.redirectme.net:1991
ronaldo-123.no-ip.biz:2011
ronaldo-123.no-ip.biz:2013
sawdz.no-ip.biz:333
securityfocus.bounceme.net:1166
shagagy21.no-ip.biz:1605
sidisalim.myvnc.com:1888
silent9.zapto.org:7895
terminator9.zapto.org:1991
vpn-hacker.no-ip.biz:9090
xbox720.zapto.org:1991
xkiller.no-ip.info:1
yahia17.no-ip.org:1177
zeusback.no-ip.biz:223
zoia.no-ip.org:446
Related RATs
NJ-Worm Controller Underworld Final
Definitions
RAT - Remote Administration Tool (Botnet Controller)
Botnet - Network of compromised computers which can be used for a set of malicious activities
C&C - Command and control server
Bot - Infected Computer System