Resolved apoctechnology.com to 91.217.178.32 I think this is the same guy from here. What is it with him and having his nick in the domain? Server: apoctechnology.com Gate file: /Grind/Boom/Lancer/Panel/image.php He’s trying out a survey winlocker annoyance program. It ‘s a really shitty one though. See it in action: http://malwr.com/analysis/4ceff448b85855dbb824a1098cdeea39/ Hosting infos: http://whois.domaintools.com/91.217.178.32
ad.amneplay.com (Upas http botnet hosted by cheaphosts.ru)
Resolved ad.amneplay.com to 146.185.246.36, 146.185.246.131 Server: ad.amneplay.com Gate file: /ad/pops/gate.php Alternate domains (same gate path) ad.tool2ago.com ad.sobhanik.com ad.kbirbsghir.com ad.masisyarb.com ad.kosifikon.com Hosting infos: http://whois.domaintools.com/146.185.246.36 http://whois.domaintools.com/146.185.246.131
oneproxifier.com (Reverse proxy malware hosted by ecatel.net)
Resolved w7bren.oneproxifier.com to 93.174.93.39, 89.248.174.42, 89.248.172.58, 93.174.93.204 Resolved extradq.oneproxifier.com to 94.102.49.207, 80.82.70.232 Here are two samples of what appears to be reverse proxy malware. It connects back to the indicated servers and maintains a connection, waiting to relay connections through the infected computer. It appears to only use windows servers for the back connect software.Read more...
in.thegamejuststarted10.com (Insomnia irc botnet hosted by China Dongguan Shenzhenshiluohuquhepingluyifengguangchangczuo32h)
Resolved in.thegamejuststarted10.com to 121.12.123.139 SSL is required to connect to this server. You will also need to accept invalid/self generated certificates. Server: in.thegamejuststarted10.com Port: 2020 Server password: hax0r Channel: #in * Topic for #in is: eEtqRXBzV2l4S2pFcThTNXhLVEVxOFM2eEtURXE4Uzd4S1RFcThTOHhLVEVxOFM5eEtURXE4Uyt4YlE9fDIyMjkzMjY0 * Topic for #in set by smart93 at Sun Dec 25 13:30:39 2011 All bots are also autojoinedRead more...
shitty little nets run by shitty people
I’ve decided to clear out for the end of the year, here are all the irc nets I never posted because they had pathetically small numbers of bots. Server: tannervps.no-ip.org Port: 6969 Current Local Users: 2 Max: 23 Channel: #tentob #tentob 2 // This is including me Bot: insomnia Server: irc.stressing.info Port: 6667 Channel #liptonRead more...
img152200.servepics.com (Smoke loader hosted by kimsufi.com)
Resolved img152200.servepics.com to 94.23.213.78 Server: img152200.servepics.com Gate file: /x3/index.php This is h4r3’s smoke, he has his andromeda hosted on the same server. Hosting infos: http://whois.domaintools.com/94.23.213.78
gwasnet.net (Spyeye banking malware hosted by ecatel.net)
Resolved gwasnet.net to 80.82.78.90 Server: gwasnet.net Gate file: /smd/gwas/nothing.php Yet another skid decides to try out “spyeye for bot herding”. Thanks to the anonymous commenter here for the sample. Hosting infos: http://whois.domaintools.com/80.82.78.90
sharesend.info (smoke loader http botnet hosted by voxility.net)
Resolved sharesend.info to 37.221.170.8 Server: sharesend.info Gate file: /admin/index.php A pity the guest.php credentials have been changed from the default or fun could have be had. Download the panel from here if you want it: hxxp://sharesend.info/admin/admin.zip Hosting infos: http://whois.domaintools.com/37.221.170.8
198.8.81.127 (Pony http loader hosted by coloat.com)
Server: 198.8.81.127 Gate file: /Panel/gate.php Starting to see some pony bots now that it’s been leaked. FYI, pony just grabs passwords and uploads them, then downloads any files that are hard coded into it. If you set it to run at startup you’ll just get the same shit every time. Hosting infos: http://whois.domaintools.com/198.8.81.127
919computech.com (Andromeda http botnet and stealer hosted by main-hosting.com)
Resolved 919computech.com to 31.170.162.85 Andromeda Server: 919computech.com Gate file: /Panel/image.php Stealer Server: 919computech.com Gate file: /stealer/index.php also there is a vertexnet panel at /web/, but I don’t think anyone uses that crap anymore. Hosting infos: http://whois.domaintools.com/31.170.162.85