Resolved beerpigfarm.ru to 46.166.130.216 I found a file on h4r3’s latest andromeda that downloaded a bunch of crap from this site. hxxp://beerpigfarm.ru/smo Smoke loader, posted here hxxp://beerpigfarm.ru/min is a bitcoin miner, uses 50btc Mining info: http://169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi:x@pool.50btc.com:8332 Since he’s using no account mode we can snoop on his mining by plugging in his address on theRead more...
group-gz.me (Andromeda http botnet hosted by Panamaserver.com)
Resolved group-gz.me to 190.123.47.198 Server: group-gz.me Gate file: /.daci/perete.php Plugins Rootkit: group-gz.me/.daci/r.pack Socks: group-gz.me/.daci/s.pack Formgrabber: group-gz.me/.daci/f.pack Gate file: group-gz.me/.daci/fg.php This guy is installing the recently posted survey winlocker on his bots. Hosting infos: http://whois.domaintools.com/190.123.47.198
honey.punked.us (Andromeda http botnet hosted by kimsufi.com
Resolved honey.punked.us to 94.23.213.78 Server: honey.punked.us Gate file: /sex/image.php Plugins Rootkit: http://doncarlosmayorista.com/.sec/r.pack Socks: http://doncarlosmayorista.com/.sec/s.pack Formgrabber: http://doncarlosmayorista.com/.sec/f.pack Gate file: honey.punked.us/sex/fg.php This is the new andromeda of the french hecker h4r3. Now he’s using cracked andromeda with free domains. Hosting infos: http://whois.domaintools.com/94.23.213.78
img197-imageshack.info (Andromeda http botnet and Spyeye banking malware hosted by ecatel.net)
Resolved img197-imageshack.info to 93.174.90.96 Server: img197-imageshack.info Gate file: /panel/image.php Spyeye Server: img197-imageshack.info Gate file: /gate.php Login: /admin.php Bonus silence winlocker crap: img197-imageshack.info/bl/eu.php Hosting infos: http://whois.domaintools.com/93.174.90.96
unlockyourdesktop.info (Winlocker hosted by nerdie.net)
Resolved unlockyourdesktop.info to 199.96.156.208 Yet another survey based winlocker. This one follows the established pattern of ukash and moneypack winlockers by loading a webpage that contains the surveys rather than simply loading the offers like the previous variants. Winlocker site showing offers This version does not appear to do anything to prevent the use ofRead more...
zxz.consulting-info.eu (Multiple http botnets hosted by France Roubaix Ovh Sas)
Resolved zxz.consulting-info.eu to 5.39.71.80 This is the french hecker known as h4r3 who has been posted before Andromeda This is the same andromeda net that was posted before, just with the rest of the domains. Previous/disabled domains vvv.exp1oit.in xxx.be-shopping.net Current domain: zxz.consulting-info.eu Gate file: /service/image.php Plugins: Rootkit: tbontepaard.nl/gllr/r.pack Socks: tbontepaard.nl/gllr/s.pack kbot Server: zxz.consulting-info.eu GateRead more...
rat-forums.net (Ice 9 banking malware proxied by cloudflare)
Resolved rat-forums.net to 108.162.194.61, 108.162.194.161 Server: rat-forums.net Gate file: /web/adm/gate.php Config file: /web/config/index.php This is the first time I’ve seen the ice 9 zeus mod in the wild. I guess all the skiddies are trying it out now that it’s cracked. Hopefully cloudflare will put a stop to their experimenting.
starhf.com (Andromeda http botnet proxied by cloudflare)
Resolved starhf.com to 108.162.193.86, 108.162.193.186 Server: starhf.com Gate file: /andro/image.php This is the second andromeda net I’ve seen hosted on cloudflare. They wouldn’t take down the first one for want of evidence. I guess their bot detection technology has some trouble if it can’t even detect when cloudflare is acting as a C&C proxy.Read more...
warzone3030.tk (Andromeda http botnet hosted by santrex.net)
Resolved warzone3030.tk to 46.105.100.182 Server: warzone3030.tk Gate file: /Panel/image.php Plugins Rootkit: warzone3030.tk/Panel/plugins/r.pack Socks: warzone3030.tk/Panel/plugins/s.pack Formgrabber: warzone3030.tk/Panel/plugins/f.pack Hosting infos: http://whois.domaintools.com/46.105.100.182
irc.zypur.com (Insomnia irc botnet hosted by linode.com)
Resolved irc.zypur.com to 178.79.164.173 Server: irc.zypur.com Port: 6667 * I have 195 clients and 1 servers * Current Local Users: 195 Max: 1006 * Current Global Users: 196 Max: 1017 Channel: #bots #bots 195 [+ntrk] Channel password: Insomnia Oper: * [Daily] (Daily@Daily.com): … * [Daily] is a registered nick * [Daily] ~#bots * [Daily] irc.zypur.comRead more...