Botmasters include fake control interface to ensnare security researchers

Security researchers compromised what they believed to be a control server for the Zeus botnet, but after examining it in detail, they concluded that it was a fake, designed to allow botmasters to spy on security researcher tactics and plan countermeasures.

What particularly stands out about the EFTPS exploit toolkit is their admin interface. Note that it's common for most exploit toolkits to contain an admin interface that manages exploits, payloads, and tracks exploit success rates. However, the EFTPS exploit toolkit contains a completely fake admin console. This admin interface acts as a "hacker honeypot" that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it. The fake login system conveniently accepts default/easily guessed credentials and common SQL injection strings...

Finally, notice that the user can also upload "new bot" malware, which is also logged. This should serve as a warning to researchers, don't always believe what you see on these stats pages...

Statistics Don't Lie... Or Do They? (via The Inquirer)



  1. That’s what I wanted you to think, but it was in fact just a bot impersonating a security researcher! I spent the last few years building up an immunity to iocane powder.

  2. And then the security people upload a ton of nasty viruses for the botnet operator to find and open.
    No, it’d never work, but a guy can dream, right?

Comments are closed.