13
Sep
Share of Facebook
Share on Twitter
Live from blog
CACAOWEB, botnet on alldebrid !
Par tsukasagenesis Tuesday 13 September 2011
Hello,
This news is here to tell you the DDoS problem we had from Saturday 10th to Monday 12th of September 2011, this attack was done to take down alldebrid.com
All started by a downtime, as any DDoS do. We were not the only one, Real-Debrid our main competitor were also down at the same period even at the same second.
We started an investigation to determine the attack type that we were handling to block it and avoid it later. It is at this time that we were able to see the extent of the botnet used:
It was
more than 540 000 infected computers which try to take down the website with some request flooding ! I don't know if it is the biggest one, but it was a big one anyway. For comparaison purposes, if there are 500 millions people on the Internet,
0.1% of Internet were on our website !
Then we still continue monitoring the attack during its activity before blocking it by some way we will not explain here for safety measures.
Then it becomes very interesting ! A member of Real-Debrid ( our competitor ), who never went on Alldebrid were banned on our service ! After checking it was effectly a part of the botnet. Then we started a remote session with the user agreement and our competitor and we checked launched programs with the Process Explorer software, and we were able to find the source :
CACAOWEB : This program pretends to be a limits remover for Megavideo and VideoBB but in reality it's a botnet !
As you can see, an attack is currently running (
SYN Flood type ) on italia-film.com website ! The attacker also did a
HTTP Flood on their website.
In order to be sure, we analyse it with Wireshark :
The showed packet is the request before the DNS one. As you can see, a brazilian IP adress send with UDP attack orders to Cacaoweb program ! Following this request, a DNS resolution is done to begin the attack !
Even more blatant:
This screenshot is showing the master IP of the DDoS attack sending the header to use to bring italia-film.com website down !
There is no doubt that CACAOWEB is a program for BOTNET purposes !
We have been the first victims.
Howto to uninstall it:
Ctrl + Alt + Del > Process > cacaoweb.exe > Right Click > Stop the process.
Then go in C:Program Files (x86)cacaoweb and delete cacaoweb.exe file
( Also take a look here : %APPDATA%Roamingcacaoweb )
Please tell that this program is used for a botnet !
All users of this software pays its free, the price of a botnet of that size is important and its owner must have his business profitable.
We hope this news will stop this botnet network.
Sincerely,
Tsukasagenesis
Read the blog