Resolved www.yahgodz.com to 46.183.217.148 Server: www.yahgodz.com Gate file: /http/image.php Additional domains: bighecks.net/http/image.php (Missing gate file, hosted at worldstream.nl 217.23.4.155) sonic4us.ru/http/image.php (Pointed at 127.0.0.1) imageshells.com/admin/image.php (Missing gate file, hosted at worldstream.nl 217.23.4.107) All of these are mystical’s domains, used for various nefarious purposes in the past. A quick google shows that he’s been loading onto thisRead more...
privategallerie.info (Andromeda http botnet hosted by vmbox.co)
Resolved privategallerie.info to 198.20.67.66 Server: privategallerie.info Gate file: /admin/hippo/image.php Bitcoin mining info: http://pr3m1era_quio:mota@eu.triplemining.com:8344 A previously posted andromeda botnet had a similar folder path to the gate file. Hosting infos: http://whois.domaintools.com/198.20.67.66
aeonhf.net (Smoke loader http botnet proxied by cloudflare)
Resolved aeonhf.net to 173.245.60.168, 173.245.61.168 (Cloudflare ips) Server: aeonhf.net, Alternate domain: aminserve.info (Currently has non-responsive nameservers) Gate file: /admin/index.php This is the latest skid who uses cloudflare to help host his botnet. Maybe this time they’ll do something about it? Hosting infos: ecatel.info Edit: CloudFlare received your abuse report dated February 24, 2013 regarding: aeonhf.netRead more...
mikimouse.net (ngrbot irc botnet hosted by yisp.nl)
Resolved mikimouse.net to 46.182.107.35 Server: mikimouse.net (Alternate domains mikimouse.org mikispace.org) Port: 1863 Server password: jobs Channel: #jobs Topic for #jobs is: Topic for #jobs set by h at Sat Feb 23 19:28:30 2013 This is the same bot, port and spreading method as a previously posted botnet. However that had been sinkholed so it appearsRead more...
assler.hfgfr56745fg.com (Betabot http botnet hosted by ecatel.net)
Resolved assler.hfgfr56745fg.com to 80.82.66.205 Server: assler.hfgfr56745fg.com Gate file: /cakes/sale.php The bot has been updated, so it no longer crashes skype. However it still seems to have some issues with it. Sample Hosting infos: http://whois.domaintools.com/80.82.66.205
616design.info (Pony loader and Zeus banking malware hosted by fastit.net)
Resolved 616design.info to 80.82.222.106 Pony Server: 616design.info Gate file: /forum/pony/gate.php This is by the same guy as this winlocker and andromeda bot. The server seems to be down at the moment, most likely due to zeus tracker posting the zeus bot I located on the same ip. Zeus Server: oppspeedy.co.ua Gate file: /forum/33/gate.php Config file: Read more...
tommyslav.name (Ginemo winlocker hosted by justhost.in.ua)
Resolved tommyslav.name to 91.213.8.52 I saw Malekal tweet that someone was using an exploit kit on adf.ly to distribute andromeda. I had already posted the andromeda, and had suspected that it was the cracked version. I just entered the gate info into the builder, ran the build and watched it download this. Server: tommyslav.name GateRead more...
5.199.167.219 (Citadel banking malware hosted by balticservers.com)
Gate file: 5.199.167.219/mode.php Config droppers (appear to be compromised sites) shadowsfromlight.com/wp-content/upgrade/file.php www.danainvestment.com/wp-content/upgrade/file.php gregsmission.org/wp-content/upgrade/file.php luna.pgnstudio.com/wp-content/upgrade/file.php On gregsmission.org WP-Sentinel seems to have failed to stop the initial compromise, but is now preventing the dropper from functioning. Sample is located here http://whois.domaintools.com/5.199.167.219
188.190.126.79 (Silence 5 Winlocker hosted by infiumhost.com)
Server: 188.190.126.79 Gate file: /~rotten/lock1/picture.php First time I’ve seen someone use silence winlocker since the cracked multilocker was released. Hosting infos: http://whois.domaintools.com/188.190.126.79
hfgfr56745fg.com (Betabot http botnet hosted by ecatel.net)
Resolved hfgfr56745fg.com to 80.82.66.204 Server: hfgfr56745fg.com Gate file: /rem/order.php Brian Krebs on the login page It still crashes skype. Sample here A previous version of the bot was posted here. Hosting infos: http://whois.domaintools.com/80.82.66.204