Tags: botnet, DDoS, MegalodonHTTP
Bomp-bomp-bomp-bomp. It’s not even close to “Shark Week,” but Megalodon is making news in the form of a new DDOS HTTP botnet. MegalodonHTTP takes its name Megalodon, from an extinct species of shark that is believed to have lived a millions of years ago and regarded as one of the largest and most powerful predators in vertebrate history.
A few weeks ago, Damballa’s Threat Discovery Center members were alerted by PhysicalDrive0 via Twitter about MegalodonHTTP. In contrast to it’s namesake, the malware is not very powerful; in fact it’s quite simple. It requires that .NET is installed on a device to run properly. Assuming that every recent machine with Windows has .NET installed and running by default, it shows the poor coding skills of the author – named Bin4ry. Usually malware authors don’t like to rely on dependencies – especially not .NET. This malware is sold on HackForum. Some criminals would refer to it as skid malware, or script kiddies, but its low price makes it attractive for others.
Megalodon shark versus Great White. Photo courtesy of: Goodheart’s Extreme Science Blog
Bin4ry advertises the capabilities of his creation. Here is an overview:
List of features mentioned by the author named Bin4ry on Hackforum:
Download and execute
7 ddos methods
The author offers 2 packages:
Package 1 for $35 includes:
- Web panel
- Full support
Package 2 for $100 includes:
- Web panel
- Stub builder
- Full support
OS Supported: All Windows based OS from Windows XP -> Windows 10
Language: Stub is coded with C# with the .NET Framework 2.0
Password Recovery: Latest IE, FF, Chrome, Opera, Safari, Filezilla FTP, Steam, Minecraft
Crypto mining: The miner covers all SHA256 and Scrypt currencies. (ex: Bitcoin, Litecoin, Omnicoin & Dogecoin)
Stability: It can hold 10-20k easily.
DDoS: UDP, HTTP Flood, SYN, NTP, XML-RPC Pingback, Slowloris and A.R.M.E.
In Damballa’s lab
After Damballa’s Threat Discovery Center ran the malware in our lab, we observed the following communication back to its Command and Control server.
The GET request is as follows:
[victim’s OS]&name=[computer name]&ram=
[amount of memory]&cpu=[details of processor and speed]&gpu=[details about video card]&av=
[if av is installed] HTTP/1.1
The full network communication is as follows:
Once the malware has infected a machine it will call back home and the attacker can perform different actions.
MegalodonHTTP builder and web panel description
The builder and web interface are simple and easy to use. The builder itself only has a few fields where it asks for simple information such as the CnC url, a backup CnC url and the serial number. You can also generate a random Mutex name. It also has the capability to add a startup feature to the malware to add persistency on the infected machine.
Image. Megalodon builder
The interface has a few tabs that are self-explanatory. We simulated an infection in our lab to analyse the communication and interaction between the infected machine and the CnC. Once the panel files are uploaded to the server, the installation is pretty straightforward. You just need to add the information about your database to ease the communication between the web interface and the database in the configuration file on the server. In the background, the builder makes some outbound communication. The builder makes a first connection to atomixable.altervista[.]org/asd.txt. This seems to be an internet connection sanity check:
It then, verifies the license key against the license key server:
To finish the installation, you have to connect to , which will open this page. It will request to create an administrator account for the web interface.
Image. MegalodonHTTP account creation
Once the administrator account is created, we can login to the control panel. When you get on the Bots tab, it displays a list of infected machines with details about each. From here you can also create tasks. For example, you can download and execute to install additional malware. There there is also a featuring for seven different types of DDOS.
Image. List of infected bot
Figure . List of DDOS types
The tasks tab shows tasks created, if any.. You can’t edit them but you can delete them.
Image. List of tasks
You can also change some settings such as the panel password, and configure the bitcoin miner settings and as well as the panel display settings.
The management tab allows you to create more users that can have access to your botnet. This option is very basic as it has no privilege management. Another user could delete your account and you would have no more access to your own botnet.
Image. Create or modify user accounts
The Password Logs tabs shows the stolen password from the infected machine.
Image. Shows the stolen information
Despite its imposing name, MegalodonHTTP is not an advanced malware. The author’s goal was to create modular malware with several features but remain as small as possible, around 20Kb. Despite, the author’s effort to create state-of-the-art malware, the general consensus in the criminal community remains pretty clear, he did not succeed. This blog is an “aperçu” of malware that’s easily available at a very affordable price. The author teamed up with a reseller to provide hosting for customers. Anyone with limited computer knowledge can acquire this malware and have it up and running in less than a day.
Bin4ry’s customer Megalodon CnCs: