![]() When we conducted a geolocation of the IP addresses on the botnet, we found that U.S. 1 Most of the victims are hosted on cloud services such as Amazon Web Services (AWS) and DigitalOcean, and about a third are hosted on Linode. For example, last year a different IRC botnet was reported with more than 1,400 bots. This prevented us from pretending to be admins and controlling the bots.ĭuring our research, the botnet peaked at around 350 bots, which is a relatively small size botnet. In the first versions of the malware the channel used was called “#idiot,” revealing the actor’s feelings toward the victims.Įach bot connecting to the server is given a nickname with a “TuYuL” prefix and a random string.Īfter a few days of monitoring the channel, the bot master noticed our activity and registered the nicknames of the admins and white-listed the IRC clients allowed to join the network. The infected server connects to the attacker’s IRC server and joins the configured channel. Some individual bots were spotted spreading the Tuyul malware, but we did not detect a mass activation of the botnet. While monitoring the botnet, we did not notice any activity involving these bots besides maintenance. Unlike previous well-known IRC bots, where commands had more specific descriptions such as DDoS or crypto mining capabilities, Tuyul bot has only general-purpose commands.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |