BoteAR: a “social botnet”? What are we talking about?

In information security, talk about botnets equals talk about malicious actions that materialize through criminal action. In essence, we think there is always a hostile attitude on the part of those who administer them. Please correct me colleagues, refute this if I'm wrong, but I think conceptually you agree with me.

BoteAR (developed in Argentina) adopts the concept of "social networks" although it seems, as yet, not fully materialized. It offers a conventional and manageable botnet via HTTP but uses the model of crimeware-as-a-service. Moreover, the author seems to adopt (maybe unknowingly) the business model of affiliate systems originating in Eastern Europe which are used to spread malware i.e. infect and get revenue for each node you infect.

So far nothing unusual, unfortunately we witness this kind of tactic every day. The striking thing about BoteAR though is that it tries to shield itself under a wrapper of security in an attempt to "fraternize" with its community.

"Botnet Security: Take control of remote machines and control user actions." This is the slogan of the malicious application but… come on! There is something I do not understand! Is this a security application that allows you to mitigate botnet attacks? Of course not! According to the author, it is used to steal information of users through a trojan. The image below refers to the BoteAR website and describes (in Spanish) some functionalities of the malicious app:

Let's inspect each of the assertions they make (highlighted by red boxes above) and demonstrate why their actions are malicious:

1. "Take control of a remote machine and control user actions": Access to a system without proper authorization of the person or owner of the system is unlawful and is an offensive act. This is known as unauthorized intrusion and in most countries of the world with a computer crime law such actions are punishable, regardless of the technological means by which it is undertaken.
2. "The service boteAR is free and use of it, as well as, the responsibilities for your use lies with the user": I want to say a little more at this point because many will surely revive the discussion of the responsibilities that impact on developers of this type of malicious applications arguing that "a knife can be used to kill or cut bread". This is true but... come on! This surely is an immoral act. Moral is part of the common law and this scheme is meant to be used in a malicious manner. Sure, a person is not required to follow moral rules, but they must follow criminal laws. The author has a "malicious heart" that clearly escapes the rules of the law. And here I do mean human behavior and not to be confused with the actions of a computer program. Returning to the analogy with the knife, in this case, clearly the author's intention is to steal and not to assist to protect user information.
3. "... Allow remote control all actions carried out in their own botnet, but to make a connection with the zombies you must first install the agent on JavaScript (trojan) on the desired website ...": By definition, malware is malicious software, most frequently nowadays used to steal banking information, and a trojan is malware and thus a malicious program.
4. "Remote computer, remote bypass protection, credential theft, SQLi, XSS and DoS attacks": Again, different types of attacks that are subject to law, at least in Argentina (where the BoteAR author resides) and credential theft might fit in the criminalization of Identity Theft.

While for now this idea has not spread it will probably get many followers soon. But the BoteAR author does not hesitate to "whiten" your status because their data is public. Also, they attempt to be like "Pontius Pilate" and washing their hands from any responsibility for the “misuse” of the botnet. The question is can there ever be "good use" of it? Can a botnet have this characteristic?

But still, I think that the BoteAR author maybe has not yet considered all the legal ramifications and the real impact that these actions can lead to. So better prevent, or rather, warn, before they actually steal login credentials to online banking of someone in Argentina or another country where it is legally punishable for this action, or that a major corporate site is affected by a DDoS attack.

The communication between infected computers and C2 is via a trojan; backdoor in type, written in JavaScript and detected by Kaspersky Lab as Backdoor.JS.Agent.c. Below is the geographical distribution at this time:

The following image is part of the code of the malicious agent. Clearly the text does not need much explanation: there are functions that allow interactions to materialize into phishing attacks. But keep in mind that in addition to phishing attacks, the malicious app was designed to, among other things, remotely control the computer through the browser and run exploits, including modules for 0-Day exploits.

Sharing the words of a friend, indeed, behind this type of effort, a factor of considerable importance is the real motivation of malware authors because ultimately and far beyond the actions of malware itself, we know that in many cases the way to reach people, whether to sell or steal, is trying to create less crime and be more social. But, equally it is cybercrime.