2012-08-16 - Panel
Inside Upas Kit (1.0.1.1) aka Rombrast C&C - Botnet Control Panel
In middle of june a new botnet was advertised on underground forum as Upas Kit. (see end of this post for advert). Bot is recognized by Microsoft in Win32/Rombrast familly
![](https://1.bp.blogspot.com/-fdy9JIfnLsI/UC0Q5_qKt2I/AAAAAAAAAnk/T0zM4dVZE4c/s640/Login+Screen.png) |
Upas - Login Screen |
![](https://1.bp.blogspot.com/-yF_1qxPKMiA/UC0RTJQRKmI/AAAAAAAAAn0/FYA2qJxi_j8/s640/Stats+-+Map.png) |
Upas - Map |
![](https://3.bp.blogspot.com/-WErP-qAiybs/UC0RGOdlzhI/AAAAAAAAAns/aVT_O-IYZRs/s640/Bots.png) |
Upas - Bots |
![](https://3.bp.blogspot.com/-4LF9K5sf_88/UC0R_Hh-f7I/AAAAAAAAAn8/8PfkzhTVohI/s640/Stats+-+Bots+online.png) |
Upas - Statistics - Bots Online |
![](https://2.bp.blogspot.com/-qgR80dDMfBs/UC0SLOMVT0I/AAAAAAAAAoE/vrkvP9bp1dw/s640/Stats+-+Online+Bots.png) |
Upas - Statistics - Online Bots |
![](https://1.bp.blogspot.com/-TS5WkxGdWko/UC0STROykhI/AAAAAAAAAoM/ZrCaxGy9RpE/s640/Stats+-+Arch.png) |
Upas - Statistics - Arch |
![](https://4.bp.blogspot.com/-FSssaMldyVg/UC0Sujb35EI/AAAAAAAAAoU/8Td0KM0rOiE/s640/Stats+-+Countries.png) |
Upas - Statistics - Countries |
![](https://3.bp.blogspot.com/-WYZQHqQuf34/UC0S3pPDhyI/AAAAAAAAAoc/tXQayZfVHRQ/s640/Stats+-+Comparing+Months.png) |
Upas - Statistics - Comparing months |
![](https://3.bp.blogspot.com/-Rd22Seqt8yU/UC0TE6yHszI/AAAAAAAAAok/EVHbK_cV8Eg/s640/Stats+-+Spreading.png) |
Upas - Statistics - Spreading |
![](https://1.bp.blogspot.com/-nTnA8r69x2E/UC0TOariIZI/AAAAAAAAAos/mKQM-6zjAd8/s640/Stats+-+Bots+summary+statistics.png) |
Upas - Statistics - Bots Summary statistics |
![](https://3.bp.blogspot.com/-HXYlEOJdk6Q/UC0Y4JRTBkI/AAAAAAAAApg/FM_NlLfvqJE/s640/Stats+-+Version.png) |
Upas - Statistics - Version |
![](https://2.bp.blogspot.com/-9s9BVDMJiZY/UC0ZDHXJ3yI/AAAAAAAAApo/nagHRwBzjnI/s640/Stats+-+OS.png) |
Upas - Statistics - OS |
![](https://4.bp.blogspot.com/-J3NIv7R0tKs/UC0ZOB2olsI/AAAAAAAAApw/HBJR6F4k2qQ/s640/Stats+-+Permissions.png) |
Upas - Statistics - Permissions |
![](https://2.bp.blogspot.com/-kAI_LQ0qj1s/UC0ZZr1oboI/AAAAAAAAAp4/sFwmbnLcp7Q/s640/Tools.png) |
Upas - Stats |
![](https://1.bp.blogspot.com/-or6-EinYVtQ/UC0ZqHn0BAI/AAAAAAAAAqA/d7fYQjmAr5g/s640/Logs+-+FTP.png) |
Upas - Logs - FTP |
![](https://2.bp.blogspot.com/-XCdBXsP4nSc/UC0Z2ucu_rI/AAAAAAAAAqI/vFW1RjOe3ZQ/s640/Logs+-+Spreadings.png) |
Upas - Logs - Spreadings |
![](https://3.bp.blogspot.com/-mUpKNn8AKVI/UC0Z9C4bEMI/AAAAAAAAAqQ/3pB-93HyCbg/s640/Logs+-+Botkill.png) |
Upas - Logs - Botkill |
![](https://1.bp.blogspot.com/-ljy92L4bmlU/UC0anHtTs2I/AAAAAAAAAqY/MvUd9zZUMI0/s640/Logs+-+Passwords.png) |
Upas - Logs - Passwords |
![](https://1.bp.blogspot.com/-LUFEpxtV6s0/UC0a992YVcI/AAAAAAAAAqg/CCQRKlAYLH8/s640/Logs+-+Ruskill.png) |
Upas - Logs - Ruskill |
![](https://1.bp.blogspot.com/-b91ri_m6KtQ/UC0bJL9EyWI/AAAAAAAAAqo/AYZvIhzYvIU/s640/Logs+-+Injects.png) |
Upas - Logs - Injects |
![](https://2.bp.blogspot.com/-jZzPLxx81f0/UC0bT-rzdiI/AAAAAAAAAqw/RCtpoKG0Rp4/s640/screenshot_02.png) |
Upas - Tasks |
![](https://4.bp.blogspot.com/-pq4Alvn3W_A/UC0bfOGGSWI/AAAAAAAAAq4/e8d7KI1C5TA/s640/screenshot_03.png) |
Upas - Public Link to tasks |
![](https://4.bp.blogspot.com/-tkgRsQ80crE/UC0bx3XtG0I/AAAAAAAAArA/NjL88f0WJyE/s640/Download+Logs.png) |
Upas - Download logs |
![](https://2.bp.blogspot.com/-Xy3AGg9ehwI/UC0b8AyS_zI/AAAAAAAAArI/I3sZQePAFmg/s320/Settings+List.png) |
Upas - Settings list |
![](https://2.bp.blogspot.com/-TgzyTux6Dn4/UC0cIJ123aI/AAAAAAAAArQ/MQDQfb6AcpU/s640/Settings.png) |
Upas - Settings |
![](https://4.bp.blogspot.com/-IaLzq8FipCY/UC0cU4Xh4vI/AAAAAAAAArY/1qeFv_v23UI/s640/Settings+-+Create+User.png) |
Upas - Settings - Create user |
![](https://1.bp.blogspot.com/-NpPalpWu_6M/UC0celndHPI/AAAAAAAAArg/AMGclB2pv0c/s640/Settings+-+Users+List.png) |
Upas - Settings - Users list |
![](https://4.bp.blogspot.com/-Iv1m59O7kqs/UC0cx7YGMgI/AAAAAAAAAro/wZpV3nl3pAg/s640/Settings+-+Banned+Users.png) |
Upas - Settings - Banned Users |
![](https://3.bp.blogspot.com/-FGGMfHgjaVw/UC0c9jCP0wI/AAAAAAAAArw/TTT5Kh13BAo/s640/Settings+-+BlackList.png) |
Upas - Settings - Blacklist |
![](https://3.bp.blogspot.com/-VShNdDWtods/UC0dOJgwpsI/AAAAAAAAAr4/2WwRlISABng/s640/Settings+-+Login+Logs.png) |
Upas - Settings - Login logs |
![](https://4.bp.blogspot.com/-ARpiLdMfrVc/UC0ddAsymNI/AAAAAAAAAsA/WPi2g4DO6D8/s640/Settings+-+Change+File+Names.png) |
Upas - Settings - Change files name |
![](https://2.bp.blogspot.com/-YGhSqYmeYB8/UC0dq23TynI/AAAAAAAAAsI/yFmM3Guo8Zg/s640/Admin+CP.png) |
Upas - AdminCP |
![](https://4.bp.blogspot.com/-e3qeEIxOjvk/UC0lOXZKymI/AAAAAAAAAtg/NdNNC1cV--A/s640/screenshot_1998.png) |
Upas - Server Side Tree |
Here is the initial advert on Exploit.In :
![](https://2.bp.blogspot.com/-Oo-Ghkfmrq0/UC0fHJsmPTI/AAAAAAAAAsQ/uz0FzW4vPKY/s640/screenshot_1977.png) |
Upas Kit 1.0.0.0 as adverted by auroras on Exploit.in on the 14th of june 2012 |
You'll find the Original text of this advert here :
And its Google Translation here :
![](https://4.bp.blogspot.com/-bEDzUxK2pwE/UC0htOI9k9I/AAAAAAAAAtA/YcwfM-o67jk/s640/screenshot_07.png) |
AntiVM analysis by EP_X0FF: |
You'll find it here :
Auroras "reply" on this code :
Which mean he did that fast to escape ThreatExpert. And it looks like it's pretty effective :
![](https://2.bp.blogspot.com/-05SPgtta5YM/UC0ioeD2swI/AAAAAAAAAtQ/FY8lA0eWu5o/s640/screenshot_06.png) |
Auroras 1 - ThreatExpert 0 |
(no..these are not bots of the C&C shown here ;) )