Reading malware - DDoS Perl Bot

It's been a while since I was reading (anything in) Perl ;) so during last lazy Sunday I decided to check one of the sample malware available here. Below you will find the details. Here we go...
This time we'll start here:

 

When I was checking it (17.05.2020@~20:00) it was still alive so I was happy when I was able to download it ;> Let's go!

 

Ina very next moment (with vim) I asked myself: anyone is still using this kind of tools? XD Uh...

 

Let's read it together ;)

 

Ok. I know I shouldn't do it... ;*

 [;

Yes this super hackingT34m did not even set a +k ;S Ok, so let's continue reading:

Cool :) /whois is still alive (sorry for using web-irc but last time I was on IRC probably there was a first version of BackTrack ;) anyway...) we should be somewhere here:

As you can see 'smecher'and 'fcukit' are using 'the same server'. Let's follow that (IRC channel) too:

So here we have a few more :) (I will leave IP list of this channel for future purposes - or for the readers curiosity ;))

 

Using this one page I was able to check other servers of this 'infrastructure' as well:

 

For example:

 

One more:

 

Checking more details about the IP:

 

Same for 2nd one:

 

I decided that we will get to know each other a little bit more:

I used GET on my Kali VM to check the content of HTTP ports:

 

Indeed you'll be redirected to the SonicWall login page:

 

At this stage (I think) 'the author' did not liked me any more :C

 

I decided to be a friend in some other way:

 

Unfortunately 'someone is a little bit selfish' ;[ 

So I decided to go back to checking found IP(s):

My next step was to google around to find anything else possibly interesting about this bot/group/whatever ;) This is what I found in the archives:

 

Next question to Google was: ' "smecher" ddos'. This is what I found:

 

Orly? ;>

 

I scrolled down a bit and I then saw this:

Even better, this group was probably fighting some other group from Poland in the past xD

That's enough I think. I must say - the author made me go back for a while to the very old times so...

Thanks! It was a pleasure. ;D




Spoiler alert:

- I found 'your' bot 9h ago
- I found your # 8h ago
- I should drop the post 7h ago when I already read the whole .pl file
- I was wondering if I should publish all the IP(s) I can found on this #smecher

Then - 2h ago - I realized one thing:
long, long time ago, when I was out of money and situation was really hopeless I talked with one friend:
- maybe I should start stealing?
answer was:
- there is no way back.

So I started a student-job-in-the-bar, in the meantime -> learned more and more about ITSec, started more coding and... I found another normal legal job.

Guys. Stop making stupid DDoS. Destroing is easy. Creating is the thing. Be creative. Not stupid.
"No excuses."

Cheers,
Cody




Special thanks goes to my Patreon:
- Daniel.