Here’s another winlocker based around having the victim complete surveys to unlock their computer. This one has the user download a file with a password rather than have them just complete the survey in the locker. It requires .net 4.0 to run. The locker doesn’t block the whole screen, but inserts itself across the middleRead more...
188.165.4.163 (Andromeda http botnet hosted by vpzzo.net)
Server: 188.165.4.163 Gate file: /and/image.php Plugins Rootkit: 188.165.4.163/and/external_plugins/r.pack Socks: 188.165.4.163/and/external_plugins/s.pack Formgrabber: 188.165.4.163/and/external_plugins/f.pack Gatefile /and/fg.php Hosting infos: http://whois.domaintools.com/188.165.4.163
blazehost.net (Andromeda and Smoke http botnets hosted by Seychelles Victoria Business Dialogue Ltd)
Resolved blazehost.net to 91.217.178.32 Andromeda Server: Blazehost.net gate file: /andro/image.php Plugins Rootkit: blazehost.net/andro/r.pack Socks: blazehost.net/andro/s.pack Formgrabber: blazehost.net/andro/f.pack Gate file: /andro/fg.php Smoke Server: Blazehost.net Gate file: /index.php Hosting infos: http://whois.domaintools.com/91.217.178.32
uy5t7cus7dptkchs.onion (Irc botnet hosted on a TOR hidden service)
This botnet was discovered and exposed by researchers at Rapid7 Server: uy5t7cus7dptkchs.onion Port: 16667 Channel: #5net1 Channel: #allin * Topic for #allin is: !silence on * Topic for #allin set by sudo at Thu Dec 06 15:52:55 2012 Nick format: [USA-W7-683960]USER Oper:suda (suda@admin.invalid) You obviously need to set TOR as your irc proxy toRead more...
craftvps.com (Spyeye banking malware hosted by srsvps.com)
Resolved craftvps.com to 109.163.233.60 Server: craftvps.com Gate file: /admin2/gate.php Collector port: 8080 Login page: craftvps.com/users/client/index.php Hosting infos: http://whois.domaintools.com/109.163.233.60
genhagroup.com (Zeus banking malware hosted by United States Provo Unified Layer)
Resolved genhagroup.com to 74.220.199.26 When this site first got posted I though it was hacked, but now that I’ve taken a closer look it’s actually a lame spreading attempt. Zeus Server: genhagroup.com Gate file: /data/gate.php Config file: /data/cf.bin The zeus binary was hosted at utmeg.com, as a “resume creator” The download page warns that itRead more...
208.98.52.179 (Multiple irc bots hosted by United States Independence Sharktech)
Server: 208.98.52.179 Port: 6969 Channel: #KaRmA## #KaRmA## 24 [+smntu] Nick format: [USA|XP|kikwxww] Channel: #AryaN# #AryaN# 6 [+smntu] Nick format: AryaN{US-XP-x86}1352555 Channel: #pBot# #pBot# 8 [+smntMu] Nick format: KaRmA{VN-XP-x86}0123624 Channel: ##Nix## ##Nix## 4 [+smntMu] Nick format: Linux||296703 Channel: ##ngr ##ngr 6 [+smntu] Nick format: {VN|XPa}sqgblol Weed motd * - With Great Power, Comes Great Responsibility. *Read more...
techmanagement.info (Aryan irc botnet hosted by vpzzo.com)
Resolved techmanagement.info to 176.31.208.105 Server: techmanagement.info Port: 6969 Channel: #carb# Topic for #carb# is: no botkilling!Topic for #carb# set by Yoshi at Mon Dec 03 23:46:42 2012 Hmm same domain as a previously posted andromeda net Googling the ip also brings up insomnia.incorporatedhosting.info, a domain that has graced this blog before Hosting infos: http://whois.domaintools.com/176.31.208.105
painadiction.biz (Andromeda http botnet hosted by Ukraine Ukrainian Internet Names Center Ltd)
Resolved painadiction.biz to 91.231.85.228 I found this bot running as an update on a few of the barracuda http nets that I had already posted. I would imagine someone has found a vulnerability in the panel. Server: painadiction.biz Gate file: /moneymaker/image.php There are a few other domains with the same registration email (soyperlman@live.com) on theRead more...
genhagroup.com (Andromeda http botnet hosted by United States Provo Unified Layer)
Resolved genhagroup.com to 74.220.199.26 This looks like it’s hosted on a hacked server Server: genhagroup.com Gate file: /andro/image.php Plugins Rootkit: genhagroup.com/andro/r.pack Socks: genhagroup.com/andro/s.pack Formgrabber: genhagroup.com/andro/f.pack Gate file: genhagroup.com/andro/fg.php Hosting infos: http://whois.domaintools.com/74.220.199.26