Want to see a live BotNET in action? [Video]

This was one of the coolest moments of BlackHat 2013 for me. I’ve seen folks release new cryptographic weaknesses in SSL/TLS, high profile speakers at just about every major talk, but a few minutes ago I walked into a room and there’s this guy in the corner quietly demonstrating software he wrote to a few people who have stopped by. The stuff he’s showing off is the basis of the most dangerous threat on the Net today – the stuff that keeps systems admins of major networks up at night: BotNets.

His name is Shota Shinogi and he’s a security researcher for Macnica Networks and he hails from Japan. He’s written the basic ingredients for a BotNet including a command and control (C&C) server and a remote client that runs on a compromised machine. If you don’t know what a BotNet is, it’s what happens to all those hacked Windows workstations out there: They are combined into one giant network of machines that are controlled from a central C&C server and told what to do. Sometimes they’re told to attack major corporations like Amazon.com by simply sending too many web requests. Occasionally they cause major Internet Interchanges to grind to a halt by sending Terrabytes of traffic per second.  They can also be used to steal thousands of credit cards, social security numbers and more.

You’ll notice in this exclusive interview that I do with Shota that the C&C server has many options – the remote compromised machine is really a puppet that will do his bidding. If your home Windows or OS X workstation has been compromised, there’s someone who isn’t quite as friendly as Shota who is out there and can do the same with your machine and many thousands of others, either separately or simultaneously. In this demo, he simply does a screen capture of what is running on the remote machine.

You can find Shota on Twitter at @Sh1n0g1. Here he is demonstrating ShinoBOT. Enjoy!!

Did you enjoy this post? Share it!


  • Wow. Let's hope Shota's computer wasn't hacked and his C&C script borrowed. I run a bunch of wordpress sites (using your plugin after the latest attacks - which seems to have helped). I assume when a popular CMS like Wordpress has the same /wp-admin address across a network, it's a big target for hackers. I'm not sure what WP3.6 will be like, but I assume customising the login address for each site would be a great advantage and much simpler than 2 stage authentication. Would love to hear what you think - and wonder if you guys have any plans to mod wordfence for something like this. I know WP Better security has an obfuscation (hide backend) but hackers didn't seem to mind. Shutting out the backend during sleeping hours seemed to be the best bet. Would love to hear your expert opinion. Especially with regards to WP security.

    • Hi Edwin,

      Thanks for the comment. Wordfence already has code built-in to mitigate distributed attacks from BotNets.