Resolved wandingoo.net to 158.58.173.181 Server: wandingoo.net Gate file: /project/gate.php Config file: /project/file.php Downloaded by this betabot. Hosting infos: http://whois.domaintools.com/158.58.173.181 Related md5s (Download samples from Malwr.com) Citadel: e6088dae389fbd0413298fedd14292e0
updating-flash.cloudapp.net (Citadel banking malware hosted by Microsoft.com)
Resolved updating-flash.cloudapp.net to 137.116.247.7 Server: updating-flash.cloudapp.net Config file: /bleh/file.php Gate file: /bleh/gate.php Hosting infos: http://whois.domaintools.com/137.116.247.7 Related md5s (Search on Malwr.com to download samples) Citadel: b8010a8cce28c36dfb0cc1bcd87a5575
103.241.0.100(Citadel 1.3.5.1 hosted in Net Origin Group Pty Ltd)
Found by justaguy belgian pigs farmer lol. This is the install directory : hxxp://103.241.0.100/images/gallery/install/ This is the gate : hxxp://103.241.0.100/images/gallery/gate.php Here the sample Hosting infos: http://whois.domaintools.com/103.241.0.100
jottedmaintains.net (Citadel banking malware hosted by linkup.ua)
Resolved jottedmaintains.net to 176.119.2.93 Server: jottedmaintains.net Gate file: /xerox/file.php Config file: /xerox/gate.php Hosting infos: http://whois.domaintools.com/176.119.2.93 Related md5s (Search on malwr.com to download samples) Citadel: 19d04a8e094f5fe2b171cf5eed677c30
sisisu.su (Citadel banking malware hosted by he.net)
Resolved sisisu.su to 64.62.210.103 Server: sisisu.su Config file: /wheelbarrow/file.php Gate file: /wheelbarrow/prism.php Currently being downloaded by this betabot. This is his second attempt at a citadel net, the first one can be found here. Hosting infos: http://whois.domaintools.com/64.62.210.103 Related md5s (search on malwr.com to download the samples): Citadel: 5707e28e79f6b6d469874f8b87ecb3b9 Edit: The moron forgot to remove theRead more...
64.85.233.8 (Citadel banking malware hosted by home ip?)
Server: 64.85.233.8 Config file: /hide/1355/file.php Gate file: /hide/1355/enter.php According to whois, this is a home cable internet ip (United States Concord Astound Broadband). Also on the server, smoke loader and pony Smoke Server: 64.85.233.8 Gate file: /smokeldr/index.php Pony Server: 64.85.233.8 Gate file: /js/gate.php The moron running this has Pony downloading itself, creating a continuousRead more...
89.163.181.135 (Citadel banking malware hosted by unitedcolo.de)
Server: 89.163.181.135 Gate file: /.~/ineed/stats.php Config file: /.~/ineed/file.php They forgot to remove the installation directory: hxxp://89.163.181.135/.~/ineed/install/ Found on the same betabot as the recently posted pony loader. Hosting infos: http://whois.domaintools.com/89.163.181.135
betabros.in (Several http botnets hosted by hostkey.ru)
Resolved betabros.in to 146.0.78.4 Server: betabros.in Gate file: /beta/order.php The owner should keep a closer eye on the fake forum he setup for cover. 1071 pages of pharmacy spam and counting. Hosting infos: http://whois.domaintools.com/146.0.78.4 EDIT: Bitcoin and litecoin mining. macromedia.exe -a scrypt -o http://us.litecoinpool.org:9332 -u marvid.disfig -p x shell.exe -o stratum+tcp://stratum.btcguild.com:3333 -u vapor_3 -p xRead more...
notify.mpa-a.com (Citadel banking malware hosted by msm.ru)
Resolved notify.mpa-a.com to 95.163.76.59 Server: notify.mpa-a.com Config file: notify.mpa-a.com/msupd6.bin Gate file: notify.mpa-a.com/index.php Hosting infos: http://whois.domaintools.com/95.163.76.59
googlesafebrowsing-counter.org (Citadel banking malware hosted by Fastflux botnet)
Server: googlesafebrowsing-counter.org Config dropper: /file.php The server seems to be poorly configured and it never returns a config file. Backup domain: googlesafebrowsing-cache.org Example fastflux info ;; QUESTION SECTION: ;googlesafebrowsing-counter.org. IN A ;; ANSWER SECTION: googlesafebrowsing-counter.org. 150 IN A 94.158.73.89 googlesafebrowsing-counter.org. 150 IN A 94.230.198.162 googlesafebrowsing-counter.org. 150 IN A 99.231.159.61 googlesafebrowsing-counter.org. 150 IN A 176.8.252.213 googlesafebrowsing-counter.org.Read more...