Resolved h.opennews.su to 5.45.181.254
Server: h.opennews.su
Port: 9000
Channel: #sp
Channel password: yop
Topic for #sp is: !wB/smZJsKbDADvo5ab8sIF/r5RP7kkXfEsreBMH+9hiVs3ilngzFHh0Ph9sbgtC/EeqYw5x0Vj2IqRyb/knFS+LUzo6bf3cW/A1SyUXkVxz8ERDPS2K/qHObIS3TFyR2JAiWdnWc82S3KnAwUHQFMEb6h/kQqB9TcZElsKS4BnyDiGp1B19crjVgBes7+ilkHVmFLRRgoSPyUBx71ioiUporVdeOIEUhA547CIbp0odHxRQ41LK9wPz13N8KYZx6/QE//rZhBqCorPJqg3w=
Topic for #sp set by SNK at Thu Apr 04 06:16:09 2013
Example bot nick: n{USA-XPx86u}gjekbowg
Alternate domains:
f.eastmoon.pl
gigasbh.org
gigasphere.su
o.dailyradio.su
photobeat.su
s.richlab.pl
uranus.kei.su
xixbh.com
xixbh.net
You may recognize some of the domains from previous posts
The botnet is currently mining for bitcoins, with the mining info: bitcoin-miner.exe -a 60 -l no -o http://suppp.cantvenlinea.biz:1942/ -u bigbob0000001@gmail.com -p password
The mining username matches a previous post as well.
This seems to be a major shift for these guys, as they moved ports from 1863 to 9000, dropped ssl and seem to be using a bot other than ngr. They maintain a raging hardon for snk though, using his name all over the place.
There is an article from Kaspersky about this botnet here
Hosting infos: http://whois.domaintools.com/5.45.181.254