Nov 11 2008

Chinese hackers turn PCs into zombies with MS08-067

Published by at 1:42 pm under Uncategorized

Wolf Fang Zombie Maker

According to WebSense Security Labs, Chinese hackers are using a new tool to compromise PCs and install the bot of their choice on them. The tool is probably intended for installing password stealing trojans. The tool is called “wolfteeth bot catcher” and lets the user enter an IP range to compromise by exploiting the MS08-067 vulnerability. The exploit then downloads and executes a file of the operators choosing. Cool stuff. I’m working with Heike to get a copy of this tool. When I get it, I intend to use it to install a photo-rotation screensaver with pictures of lolcatz.

See the full article here.

8 responses so far

8 Responses to “Chinese hackers turn PCs into zombies with MS08-067”

  1. Heikeon 11 Nov 2008 at 1:53 pm


    You should have an e-mail with the download site for the program in your inbox. Happy hunting!

    Uhmmm, you’re kidding about the photo-rotating kitten thingy, right?!? RIGHT?!! :)

  2. jumperon 11 Nov 2008 at 7:05 pm

    Thanks for tracking it down. I just need an invite to the VIP area of the site to DL it.

    If you controlled 100,000 computers, what would you install on them besides lolcats?

  3. Heikeon 11 Nov 2008 at 8:41 pm

    Good luck with that invite…I’ll try to find another download site. ;)

  4. Heikeon 11 Nov 2008 at 9:00 pm


    Try this address

  5. CBRP1R8on 13 Nov 2008 at 7:15 am

    to bad this isn’t available in english. I wouldn’t mind testing this out in my lab environment. I can’t read anything on the page link :(

  6. jumperon 13 Nov 2008 at 9:06 am

    The page link is just a discussion about the program. I think you have to get it from the author for now. It will eventually show up on all of the other tools sites though.

    It is pretty easy to figure out how to use it.

    Start IP:
    End IP

    Number of Threads: 800 Port: 445

    Scan Type: TCP SYN

    Site to download trojan from:

    800 threads seems like a lot to me but I’m sure that is what that field is for. Under scan type, TCP probably means a full connect scan and SYN is half-open.

  7. CBRP1R8on 14 Nov 2008 at 7:43 am

    TCP SYN is probably a tcp syn flood attack scan which is why its setting the 800 thread threshhold to attempt. A lot of attack tools do utilize the syn flood attack scan.

    The site field is kinda handy though…..I just built out another linux server in our lab I think i’ll load apche on it and make a fake website to serve this out on (if i can find it) within our lab see how and if our systems can be compromised and what other mitigation factors I can take with it since we have nokia firewalls in place too in the simlab I can test this from an outside environment look to get a feel for attack methodology.

    cheers for this find though, i’ll keep an eye out for this to try to download.

  8. jumperon 14 Nov 2008 at 12:24 pm

    There are separate checkboxes for TCP and SYN. They are for scanning port 445 for windows boxes that might be vulnerable. TCP is for full connect and SYN is for half open.

    The site field is where the pwn3d machine will download a backdoor from. This tool doesn’t give you a shell or anything it uses a download and execute payload.

    The exploit was ripped from the Ph4nt0m code which you can find on milw0rm. You can use your own shellcode. The Ph4nt0m exploit just has a bind shell payload from metasploit.

    The author of the tool has removed it from his website without any explanation. Hopefully someone will post something to the boards tonight so we can figure out why.