Resolved cmeef.info to 93.174.94.64 Server: cmeef.info Gate file: /e6ct/index.php Hosting infos: http://whois.domaintools.com/93.174.94.64 Related md5s (Search on Malwr.com to download samples) Solar: 61fd4c9405e168557ab279c86131634b
kasvatus.org (Solar http botnet hosted by hetzner.de)
Resolved kasvatus.org to 176.9.36.18 Server: kasvatus.org Gate file: /solar/index.php Thanks to Xylitol for a link to the sample Hosting infos: http://whois.domaintools.com/176.9.36.18 Related md5s (Search on Malwr.com to download samples) Solar: 946c4683c72f59558d9a211a8d8971cc
canc3r1nf0rmat10n.pw (Solar http botnet hosted by infiumhost.com)
Resolved canc3r1nf0rmat10n.pw to 188.190.123.59 Server: canc3r1nf0rmat10n.pw Gate file: /panel/index.php Hosting infos: http://whois.domaintools.com/188.190.123.59 Related md5s (Search on Malwr.com to download samples) Solar: 60a8e935b5418a76593bb97120da1adc
haveityourway.pw (betabot http botnet hosted by Alibabahost.com)
Resolved haveityourway.pw to 103.31.187.77 Server: haveityourway.pw Gate file: /members/order.php Alternate domains (currently not registered): thebestway42.pwitsoktohaveityourway.comlosmejoresburgers1.com The first domain was only registered yesterday. Hosting infos: http://whois.domaintools.com/103.31.187.77 Related md5s (Search on Malwr.com to download samples) Betabot: 3b0907c7bf881f8f5f9fa2190384d3dd
scum1904life.com (Andromeda http botnet hosted by 2×4.ru)
Resolved scum1904life.com to 193.107.16.146 Server: scum1904life.com Gate file: /gate.php Hosting infos: http://whois.domaintools.com/193.107.16.146 Related md5s (Search on Malwr.com to download samples) Andromeda: 6423dfa282aa03ee0e10c5331062a96c
n18b7273u1j.in (Betabot http botnet hosted by worldstream.nl)
Resolved n18b7273u1j.in to 217.23.3.102 Server: n18b7273u1j.in Gate file: /M_jsh1/order.php Alternate domains: b19jdn167t.in This is betabot version 1.5. This is the second betabot 1.5 botnet I have found, but the other one was just a different path on an already posted botnet, so it wasn’t worth a new post. You may note that the domains usedRead more...
sentryme.com (Betabot http botnet hosted by ecatel.net)
Resolved sentryme.com to 94.102.51.123 Server: Sentryme.com Gate file: /order.php Altnerate domain: stayattentive.com Bitcoin mining info: -a sha256 -o stratum+tcp://162.243.6.88:3333 -u Ghettoweed.R -p x -g no -t 4 -a sha256 -o stratum+tcp://162.243.6.88:3333 -u Ghettoweed.R -p x -t 0 -I 10 The username string in the binary is the sky daddy_v1$, which corresponds to this Hackforums account.Read more...
adobe-helper.cloudapp.net (Andromeda http botnet hosted by microsoft.com)
Resolved adobe-helper.cloudapp.net to 168.63.166.85 Server: adobe-helper.cloudapp.net Gate file: /updates/gate.php It downloads a bitcoin miner and begins mining using this proxy, also hosted on the windows cloud: hxxp://updating-flash6.cloudapp.net Bonus andromeda 2.7 panel here: hxxp://adobe-helper.cloudapp.net/panel.zip Hosting infos: http://whois.domaintools.com/168.63.166.85 Related md5s (Search on Malwr.com to download samples) Andromeda: 2fd21454a5c17fcfffef9f900dec1434
dreiansc.ws (Ice 9 banking malware hosted by vps.ua)
Resolved dreiansc.ws to 31.131.28.121 Server: dreiansc.ws Gate file: /adm/gate.php Config file: /config/index.php The owner forgot to remove the panel installation file. hxxp://dreiansc.ws/adm/install/index.php Hosting infos: http://whois.domaintools.com/31.131.28.121 Related md5s (Search on malwr.com to download samples) Ice9: edb77957d11c9add8d8bcc615ba3d392
Betabot botnets linked to hackforums users
So if you have been following my posts on this blog, you may have noticed a large number of posts about the “betabot” malware. Betabot is a http bot which is sold on hackforums.net. Despite a number of complaints about serious stability issues, it has become popular with some of the more dedicated script kiddyRead more...