Continuing the “Malicious Wild West” series, the Blacksun RAT integration on the web is so modules-friendly it makes you wonder why it’s not another case study on malware on demand, but a publicly obtainable open source malware like it is. Process injections in explorer.exe by default, and with a default port 2121, this HTTP bot is still in BETA. And BETA actually means more people will play around with the code, and add extended functionalities into it. There’s a common myth that the majority of botnets are still operated through IRC based communications, and despite that there’re still large botnets receiving commands through IRC, there’s an ongoing shift towards diversification and HTTP in all of its tunneling and covert beauty seems to be a logical evolution.
Here are some commands included in default admin.php that speak for themselves :
Killmyself is quite handy in case you get control of the botnet in one way or another and desinfect the entire population with only one command. Stay tuned for various other “releases” in the upcoming virtual shots during the next couple of days.