svohost.exe

The price to pay for the illegal warez download & installation is often forced participation in a botnet.

City Network Hosting AB in Sweden facilitates mhead.org, a domain registered by "John Doe, Underground" through webbhotell.spray.se. The bot binary is a seemingly currently quite popular multi-functional program capable of sending webcam and screenshots as well as the usual ping and http floods. The binary is called svohost.exe located in system32, and connects to the masters through TCP port 53.

The bot joins a channel called #space where the operator is "neon@matrix.com". I can't imagine anything lamer, but there you go. The neon bot obviously hasn't got the best of internet connections, as it times out regularly. In fact, during the first 5 days of participation, the only traffic taking place between bot and server, apart from the Ping and Pong, was notification of Neon's demise and subsequent re-login.

Suddenly commands were forthcoming, though. An attack (big udp packets) was mounted on some IP addresses, followed by a http flood of www.fkk90.ch, the latter renewed regularly. This was a very effective flood, as the website was inaccessible right away. Some googling, and exercising of the atrophied german muscle, revealed that FKK 90 is a newly-set-up sex club in Zurich, which has been under DDoS from the moment their website was meant to go live. Their hosting provider promises defence against DDoS, which shows once again that you should not believe everything you read on tinternet.

http://www.webline.ch/blog/index.php/2008/06/16/fkk90ch-mit-ddos-schutz-online/

http://www.webline.ch/ddos_schutz.php

[bored@patsy]# ping fkk-90.ch
PING fkk-90.ch (72.52.0.87) 56(84) bytes of data.
From prolexic-gw.ip.tiscali.net (213.200.79.142) icmp_seq=0 Packet filtered

In other words, Webline buy their DDoS protection through Prolexic. Prolexic advertises being capable of handling 10 Gb/s floods (see http://www.prolexic.com/admin/sources/editor/assets/PDF/Prolexic_Overview.pdf) so either Webline aren't getting the whole package, or neon@matrix is (part of) one vast botnet indeed.

Which leaves the questions, who and why? A small sex club (hmm, having said that, with "25 zimmer" maybe not that small) in a small town in a small country can't advertise their promotional pricing structure on-line because a botnet running in Sweden is preventing it.

Compared with the ususal barrage of bot-herder orders aimed at flooding their opponents out of WoW, neon is rather sparing with the commands.

On 20 June the botnet goes to Hungary, but the targets remain the same.

Here is an interesting article in the Sonntagszeitung, a Swiss newspaper, about these attacks http://www.sonntagszeitung.ch/nachrichten/artikel-detailseiten/?newsid=4168   (in German).

 

Recently targeted:

213.200.79.142 (Tiscali International Network B.V., Prolexic) [udp flood]

89.149.186.81 (More Tiscali) [udp flood]

213.46.171.42 (UPC Broadband Operations B.V., Chello) [udp flood]

http://www.fkk90.ch/index.php [http connection flood]

http://www.fkk90.ch/X/28305797.jpg [http connection flood]

 

last update 20 June 2008