{"id":15907,"date":"2012-05-07T11:33:04","date_gmt":"2012-05-07T18:33:04","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=15907"},"modified":"2025-06-03T21:29:32","modified_gmt":"2025-06-04T04:29:32","slug":"pastebin-shares-botnet-source-code","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/","title":{"rendered":"Pastebin Shares Botnet Source Code"},"content":{"rendered":"<p>Few days back, we found another Pastebin entry that contains a source which looks to be malicious botnet code. As I wrote in my earlier <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/latest-spyeye-botnet-active-and-cheaper\">blog<\/a>, malware authors also use Pastebin to trade botnet kits. Many times, snippets of a botnet help researchers understand the workings of the botnet and write detections for it.<\/p>\n<p>The code posted was fairly simple to understand, appearing fully tested and complete. The code provides insights to the coding skills and techniques used by the botnet author. This bot uses fairly standard installation, copying itself into the Windows\\System32\\ folder and then sending and receiving commands from a hard-coded control server. The source contains two interesting antianalysis functions, which check for the presence of a sandbox or tools such as OllyDbg or Wireshark. If it detects countermeasures, the bot terminates its process. Below are the two functions used for antianalysis:<\/p>\n<h2><strong>BOOL bIsSandbox (void)<\/strong><\/h2>\n<ul>\n<li>Check GetModuleFileNameA() for presence of string \u201csample\u201d in the PATH<\/li>\n<li>Or Check GetUserNameA() for presence of string like \u201cHfreAnzr\u201d or \u201csandbox\u201d or \u201ccurrentuser\u201d or \u201cvmware\u201d or \u201cnepenthes\u201d<\/li>\n<li>Or Check GetComputerNameA() for presence of string like \u201cComputerName\u201d or \u201cCOMPUTERNAME\u201d<\/li>\n<li>Or Check GetModuleHandle() for presence of DLL like \u201cSbieDll.dll\u201d or \u201capi_log.dll\u201d or \u201cdbghelp.dll\u201d or \u201cdir_watch.dll\u201d<\/li>\n<li>If anything matches, terminate the bot process<\/li>\n<\/ul>\n<h2><strong>DWORD WINAPI tScanner (LPVOID)<\/strong><\/h2>\n<ul>\n<li>Use FindWindowA() function to check for name \u201cCommView\u201d<\/li>\n<li>Or \u201cTCPViewClass\u201d<\/li>\n<li>Or \u201cTCPView &#8211; Sysinternals: www.sysinternals.com\u201d<\/li>\n<li>Or \u201cPROCMON_WINDOW_CLASS\u201d<\/li>\n<li>Or \u201cOLLYDBG\u201d<\/li>\n<li>Or \u201cgdkWindowToplevel\u201d<\/li>\n<li>Or \u201cCommView &#8211; The Team ZWT 2008\u201d<\/li>\n<li>Or \u201cThe Wireshark Network Analyzer\u201d<\/li>\n<li>Or \u201cSysAnalyzer\u201d<\/li>\n<li>If anything matches, terminate the bot process<\/li>\n<\/ul>\n<p>Both of the preceding function help a bot to terminate its process from being analyzed by researchers. The bot sends OS version, Username, botID, and other information to its hard-coded control server in the <strong>ns\/clients.php?os=%s&amp;name=%s&amp;id=%i&amp;loc=%s<\/strong> format and waits for other commands.<\/p>\n<p>&nbsp;<\/p>\n<p>This bot supports the following commands, among others:<\/p>\n<p><strong>install:<\/strong> Download and install another binary<\/p>\n<p><strong>uninstall<\/strong>: Clears registry entries and exit()<\/p>\n<p><strong>open:<\/strong> Open a specified file<\/p>\n<p><strong>update:<\/strong> Update to a new bot binary<\/p>\n<p><strong>qkill:<\/strong> Exit<\/p>\n<p>Examining the code gives us a fair idea of the network communications of this botnet and helps researchers easily write detections. The availability of the source also helps us understand different techniques or methods used by the botnet authors. It&#8217;s no surprise that Pastebin has become a communications channel for bad guys&#8211;not only for selling botnets but also for sharing code snippets.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Few days back, we found another Pastebin entry that contains a source which looks to be malicious botnet code. As&#8230;<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[49],"coauthors":[3973],"class_list":["post-15907","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-botnet"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Pastebin Shares Botnet Source Code | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Few days back, we found another Pastebin entry that contains a source which looks to be malicious botnet code. As I wrote in my earlier blog, malware\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Pastebin Shares Botnet Source Code | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Few days back, we found another Pastebin entry that contains a source which looks to be malicious botnet code. As I wrote in my earlier blog, malware\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2012-05-07T18:33:04+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-04T04:29:32+00:00\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"Pastebin Shares Botnet Source Code\",\"datePublished\":\"2012-05-07T18:33:04+00:00\",\"dateModified\":\"2025-06-04T04:29:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/\"},\"wordCount\":420,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"keywords\":[\"botnet\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/\",\"name\":\"Pastebin Shares Botnet Source Code | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"datePublished\":\"2012-05-07T18:33:04+00:00\",\"dateModified\":\"2025-06-04T04:29:32+00:00\",\"description\":\"Few days back, we found another Pastebin entry that contains a source which looks to be malicious botnet code. As I wrote in my earlier blog, malware\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Pastebin Shares Botnet Source Code\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Pastebin Shares Botnet Source Code | McAfee Blog","description":"Few days back, we found another Pastebin entry that contains a source which looks to be malicious botnet code. As I wrote in my earlier blog, malware","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Pastebin Shares Botnet Source Code | McAfee Blog","og_description":"Few days back, we found another Pastebin entry that contains a source which looks to be malicious botnet code. As I wrote in my earlier blog, malware","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2012-05-07T18:33:04+00:00","article_modified_time":"2025-06-04T04:29:32+00:00","author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"Pastebin Shares Botnet Source Code","datePublished":"2012-05-07T18:33:04+00:00","dateModified":"2025-06-04T04:29:32+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/"},"wordCount":420,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"keywords":["botnet"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/","name":"Pastebin Shares Botnet Source Code | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"datePublished":"2012-05-07T18:33:04+00:00","dateModified":"2025-06-04T04:29:32+00:00","description":"Few days back, we found another Pastebin entry that contains a source which looks to be malicious botnet code. As I wrote in my earlier blog, malware","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/pastebin-shares-botnet-source-code\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Pastebin Shares Botnet Source Code"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/15907","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=15907"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/15907\/revisions"}],"predecessor-version":[{"id":215038,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/15907\/revisions\/215038"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=15907"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=15907"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=15907"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=15907"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}