Resolved : [sixdollarads.com] To [174.132.190.220] SpyEye Panel:http://sixdollarads.com/vc/cp/maincp/ Bins: hxxp://sixdollarads.com/vc/cp/maincp/bin/0.1.exe hxxp://sixdollarads.com/vc/cp/maincp/bin/1.0.exe hxxp://sixdollarads.com/vc/cp/maincp/bin/config.bin hxxp://sixdollarads.com/vc/cp/maincp/bin/sys.exe hxxp://sixdollarads.com/vc/cp/maincp/bin/upload/sys.exe hxxp://sixdollarads.com/vc/cp/maincp/bin/upload/Photo345.jpg.scr hosting infos: http://whois.domaintools.com/174.132.190.220
gwasnet.net (Spyeye banking malware hosted by ecatel.net)
Resolved gwasnet.net to 80.82.78.90 Server: gwasnet.net Gate file: /smd/gwas/nothing.php Yet another skid decides to try out “spyeye for bot herding”. Thanks to the anonymous commenter here for the sample. Hosting infos: http://whois.domaintools.com/80.82.78.90
img197-imageshack.info (Andromeda http botnet and Spyeye banking malware hosted by ecatel.net)
Resolved img197-imageshack.info to 93.174.90.96 Server: img197-imageshack.info Gate file: /panel/image.php Spyeye Server: img197-imageshack.info Gate file: /gate.php Login: /admin.php Bonus silence winlocker crap: img197-imageshack.info/bl/eu.php Hosting infos: http://whois.domaintools.com/93.174.90.96
zxz.consulting-info.eu (Multiple http botnets hosted by France Roubaix Ovh Sas)
Resolved zxz.consulting-info.eu to 5.39.71.80 This is the french hecker known as h4r3 who has been posted before Andromeda This is the same andromeda net that was posted before, just with the rest of the domains. Previous/disabled domains vvv.exp1oit.in xxx.be-shopping.net Current domain: zxz.consulting-info.eu Gate file: /service/image.php Plugins: Rootkit: tbontepaard.nl/gllr/r.pack Socks: tbontepaard.nl/gllr/s.pack kbot Server: zxz.consulting-info.eu GateRead more...
craftvps.com (Spyeye banking malware hosted by srsvps.com)
Resolved craftvps.com to 109.163.233.60 Server: craftvps.com Gate file: /admin2/gate.php Collector port: 8080 Login page: craftvps.com/users/client/index.php Hosting infos: http://whois.domaintools.com/109.163.233.60
control.av-update-server.net (Spyeye banking malware hosted by Latvia Riga Dedicated Servers)
Resolved control.av-update-server.net to 46.183.218.174 Server: control.av-update-server.net Gate file: /~ciscoFirewall/nginx_config/gate.php Login page: /~ciscoFirewall/ Collector port: 8080 Hosting infos: http://whois.domaintools.com/46.183.218.174