Abstract

The smallest element in a botnet is a bot. The behavior of a bot can change dynamically based on the decision of the botmaster. Commonly driven by profit, bots are expected to be profitable. If an infected bot does not fulfill the expectations, the botmaster can instruct the bot to switch it's behavior to serve a better purpose. This paper presents a detailed analysis of a network traffic capture of a machine originally infected by a Gamarue variant. The analysis will uncover the behavior of the bot since the initial infection, inactivity period, delivery of a new payload and the following switch of behavior of the bot. The paper will analyze the infection in detail, including the horizontal brute-forcing activity affecting thousands of WordPress websites. The goal of the paper is to show a concrete example of a bot performing brute-forcing, analyze it, identify the mechanisms used and indicators of compromise that will help detect it.