Resolved rat-forums.net to 108.162.194.61, 108.162.194.161 Server: rat-forums.net Gate file: /web/adm/gate.php Config file: /web/config/index.php This is the first time I’ve seen the ice 9 zeus mod in the wild. I guess all the skiddies are trying it out now that it’s cracked. Hopefully cloudflare will put a stop to their experimenting.
starhf.com (Andromeda http botnet proxied by cloudflare)
Resolved starhf.com to 108.162.193.86, 108.162.193.186 Server: starhf.com Gate file: /andro/image.php This is the second andromeda net I’ve seen hosted on cloudflare. They wouldn’t take down the first one for want of evidence. I guess their bot detection technology has some trouble if it can’t even detect when cloudflare is acting as a C&C proxy.Read more...
afkm.in(irc bot spreading through skype hosted in Germany Karlsruhe 1&1 Internet Ag)
This botnet belongs to our lame friend snk(he uses aspergillus mod) It was reported by I Post Your Info here Domain Names used from snk: w4hw5wg3488h.net this one now is not active Resolved : [afkm.in] To [82.165.140.66] active domain name used to control bots hxxp://213.165.83.232/b.exe (www.dgp-vision.de) bot exe here The bot downloads 2 exe filesRead more...
warzone3030.tk (Andromeda http botnet hosted by santrex.net)
Resolved warzone3030.tk to 46.105.100.182 Server: warzone3030.tk Gate file: /Panel/image.php Plugins Rootkit: warzone3030.tk/Panel/plugins/r.pack Socks: warzone3030.tk/Panel/plugins/s.pack Formgrabber: warzone3030.tk/Panel/plugins/f.pack Hosting infos: http://whois.domaintools.com/46.105.100.182
irc.zypur.com (Insomnia irc botnet hosted by linode.com)
Resolved irc.zypur.com to 178.79.164.173 Server: irc.zypur.com Port: 6667 * I have 195 clients and 1 servers * Current Local Users: 195 Max: 1006 * Current Global Users: 196 Max: 1017 Channel: #bots #bots 195 [+ntrk] Channel password: Insomnia Oper: * [Daily] (Daily@Daily.com): … * [Daily] is a registered nick * [Daily] ~#bots * [Daily] irc.zypur.comRead more...
Survey winlocker (FileIce.net)
Here’s another winlocker based around having the victim complete surveys to unlock their computer. This one has the user download a file with a password rather than have them just complete the survey in the locker. It requires .net 4.0 to run. The locker doesn’t block the whole screen, but inserts itself across the middleRead more...
188.165.4.163 (Andromeda http botnet hosted by vpzzo.net)
Server: 188.165.4.163 Gate file: /and/image.php Plugins Rootkit: 188.165.4.163/and/external_plugins/r.pack Socks: 188.165.4.163/and/external_plugins/s.pack Formgrabber: 188.165.4.163/and/external_plugins/f.pack Gatefile /and/fg.php Hosting infos: http://whois.domaintools.com/188.165.4.163
blazehost.net (Andromeda and Smoke http botnets hosted by Seychelles Victoria Business Dialogue Ltd)
Resolved blazehost.net to 91.217.178.32 Andromeda Server: Blazehost.net gate file: /andro/image.php Plugins Rootkit: blazehost.net/andro/r.pack Socks: blazehost.net/andro/s.pack Formgrabber: blazehost.net/andro/f.pack Gate file: /andro/fg.php Smoke Server: Blazehost.net Gate file: /index.php Hosting infos: http://whois.domaintools.com/91.217.178.32
uy5t7cus7dptkchs.onion (Irc botnet hosted on a TOR hidden service)
This botnet was discovered and exposed by researchers at Rapid7 Server: uy5t7cus7dptkchs.onion Port: 16667 Channel: #5net1 Channel: #allin * Topic for #allin is: !silence on * Topic for #allin set by sudo at Thu Dec 06 15:52:55 2012 Nick format: [USA-W7-683960]USER Oper:suda (suda@admin.invalid) You obviously need to set TOR as your irc proxy toRead more...
craftvps.com (Spyeye banking malware hosted by srsvps.com)
Resolved craftvps.com to 109.163.233.60 Server: craftvps.com Gate file: /admin2/gate.php Collector port: 8080 Login page: craftvps.com/users/client/index.php Hosting infos: http://whois.domaintools.com/109.163.233.60