Resolved ugctrust.com to 91.213.233.156 Server: ugctrust.com Gate file: /image.php Sample was discovered by unixfreaxjp. hosting infos: http://whois.domaintools.com/91.213.233.156
vg-update.ru (Andromeda http botnet hosted by voxility.net)
Resolved vg-update.ru to 37.221.170.75 Server: vg-update.ru Gate file: /gi8i/hTcP/dy0v/header.php Hosting infos: http://whois.domaintools.com/37.221.170.75
gwassnet.com (Andromeda http botnet hosted by voxility.net)
Resolved gwassnet.com to 37.221.170.240 Server: gwassnet.com Gate file: /gwas/Panel/image.php I’m going to guess this is the same guy as the other gwass domain. Also, bitcoin mining info: http://Hung:28787@pool.bitclockers.com:8332 Hosting info: http://whois.domaintools.com/37.221.170.240
mystresser.net (Andromeda http botnet hosted by vHostLayer.com)
Resolved mystresser.net to 37.221.163.131 Server: mystresser.net Gate file: /image.php Hosting infos: http://whois.domaintools.com/37.221.163.131
hackersdream.info (Andromeda http botnet hosted by Seychelles Victoria Business Dialogue Ltd)
Resolved hackersdream.info to 91.217.178.32 Server: hackersdream.info Gate file: /lol/image.php Plugins Rootkit: http://hackersdream.info/lol/r.pack Socks: http://hackersdream.info/lol/s.pack Formgrabber: http://hackersdream.info/lol/f.pack Gate file: /lol/fg.php Hosting infos: http://whois.domaintools.com/91.217.178.32
apoctechnology.com (Andromeda http botnet hosted by Seychelles Victoria Business Dialogue Ltd)
Resolved apoctechnology.com to 91.217.178.32 I think this is the same guy from here. What is it with him and having his nick in the domain? Server: apoctechnology.com Gate file: /Grind/Boom/Lancer/Panel/image.php He’s trying out a survey winlocker annoyance program. It ‘s a really shitty one though. See it in action: http://malwr.com/analysis/4ceff448b85855dbb824a1098cdeea39/ Hosting infos: http://whois.domaintools.com/91.217.178.32
919computech.com (Andromeda http botnet and stealer hosted by main-hosting.com)
Resolved 919computech.com to 31.170.162.85 Andromeda Server: 919computech.com Gate file: /Panel/image.php Stealer Server: 919computech.com Gate file: /stealer/index.php also there is a vertexnet panel at /web/, but I don’t think anyone uses that crap anymore. Hosting infos: http://whois.domaintools.com/31.170.162.85
jackhammermusic.com (Andromeda http botnet hosted by justhost.com)
Resolved jackhammermusic.com to 173.254.28.39 Server: jackhammermusic.com Gate file: /images/id/image.php There’s also a shell booter located at jackhammermusic.com/test/ Looks like it’s out of shells though. jackhammermusic.com/test/shells.php Hosting infos: http://whois.domaintools.com/173.254.28.39 EDIT: Now with 100% more bitcoin mining. Mining infos: http://Juan:Johnxd32ssS@pool.bitclockers.com:8332
4temp704.com (andromeda http botnet hosted by Seychelles Victoria Business Dialogue Ltd)
Resolved 4temp704.com to 91.217.178.32 Server: 4temp704.com Gate file: /Panel/image.php hosting infos: http://whois.domaintools.com/91.217.178.32
76.191.97.100 (Multiple http botnets hosted by sentris.com)
Andromeda Server: 76.191.97.100 Gate file: /andro/image.php Plugins Rootkit: http://76.191.97.100/andro/r.pack Socks: http://76.191.97.100/andro/s.pack Formgrabber: http://76.191.97.100/andro/f.pack Gate file: /andro/fg.php Smoke loader Server: 76.191.97.100 Gate file: /smoke/index.php Pony Server: 76.191.97.100 Gate file: /p/gate.php POE stealer Server: 76.191.97.100 Gate file /poe/index.php Login details are admin:admin Hosting infos: http://whois.domaintools.com/76.191.97.100 EDIT: I see he’s trying bitcoin mining Mining infos:Read more...