Tor is used to host the bot . Here is the sample : hxxp://kdsk3afdiolpgejs.onion.to/sphinx/bot.exe Looking up kdsk3afdiolpgejs.onion.to… Resolved to: 217.197.83.197 Other hosts contacted by the bot : 193.23.244.244 212.112.245.170 76.73.17.194 Hosting Infos : http://whois.domaintools.com/217.197.83.197
indianmoneybag.in(HTTP Password Stealer Hosted In United States Provo Unified Layer)
Mybe Zeus variant. Domains : repository.certum.pl 213.222.201.175 www.download.windowsupdate.com 184.25.56.173 crl.certum.pl 213.222.201.210 myworkmustpayme.xyz 162.144.218.223 www.indianmoneybag.in 104.153.45.242 joemb009i.xyz 162.144.218.223 cryfreeman042.ddns.net 41.138.167.135 HTTP Requests : http://www.indianmoneybag.in/wp-content/themes/twentyfourteen/css/php/gate.php POST /wp-content/themes/twentyfourteen/css/php/gate.php HTTP/1.0 Host: www.indianmoneybag.in Accept: */* Accept-Encoding: identity, *;q=0 Content-Length: 506 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) http://myworkmustpayme.xyz/wp-admin/css/panel/config.jpg GET /wp-admin/css/panel/config.jpg HTTP/1.1 Accept: */* Connection:Read more...
616design.info (Pony loader and Zeus banking malware hosted by fastit.net)
Resolved 616design.info to 80.82.222.106 Pony Server: 616design.info Gate file: /forum/pony/gate.php This is by the same guy as this winlocker and andromeda bot. The server seems to be down at the moment, most likely due to zeus tracker posting the zeus bot I located on the same ip. Zeus Server: oppspeedy.co.ua Gate file: /forum/33/gate.php Config file: Read more...
musicdisk.net(Zeus hosted in Germany Frankfurt Am Main Intergenia Ag)
Resolved : [musicdisk.net] To [85.25.2.9] Panel:http://www.musicdisk.net/zeus/ config.bin:www.musicdisk.net/zeus/cfg.bin bot.exe:hxxp://www.musicdisk.net/zeus/bot.exe hosting infos: http://whois.domaintools.com/85.25.2.9
216.244.83.194(Zeus variant hosted in United States Hilliard Private Customer)
Unprotected directories: Panel:hxxp://216.244.83.194/bold/z1/ Config Bin:hxxp://216.244.83.194/bold/z1/config.bin Bot:hxxp://216.244.83.194/bold/z1/bot.exe hosting infos: http://whois.domaintools.com/216.244.83.194
rat-forums.net (Ice 9 banking malware proxied by cloudflare)
Resolved rat-forums.net to 108.162.194.61, 108.162.194.161 Server: rat-forums.net Gate file: /web/adm/gate.php Config file: /web/config/index.php This is the first time I’ve seen the ice 9 zeus mod in the wild. I guess all the skiddies are trying it out now that it’s cracked. Hopefully cloudflare will put a stop to their experimenting.
genhagroup.com (Zeus banking malware hosted by United States Provo Unified Layer)
Resolved genhagroup.com to 74.220.199.26 When this site first got posted I though it was hacked, but now that I’ve taken a closer look it’s actually a lame spreading attempt. Zeus Server: genhagroup.com Gate file: /data/gate.php Config file: /data/cf.bin The zeus binary was hosted at utmeg.com, as a “resume creator” The download page warns that itRead more...
lagner.taess.net (Zeus banking malware hosted by Germany Frankfurt Am Main Ovh Gmbh)
Hmm, I’m a german skid who tried to run zeus on a free host. The free hosting account was suspended after it showed up on zeus tracker. Am I going to: A) Move on with my life and leave malware behind B) Get a bulletproof domain and hosting and run zeus from there C) ThrowRead more...
smartnet.taess.net (Zeus banking malware and other crap hosted by Germany Frankfurt Am Main Ovh Gmbh)
Resolved smartnet.taess.net to 94.23.160.203 Zeus Server: smartnet.taess.net Gate file: smartnet.taess.net/directory/gate.php Config file: smartnet.taess.net/directory/config.bin Hosting zeus on a free host seems like a great idea. Bonus “secure soft” bot from the same guy Server: lagner.taess.net Gate file: /Vote%20Gateway%20%20%20blabla%20%20%20Metin2%20P-Server%20Liste_files/Admin/acces/update/connect.php He was using this to ddos israeli sites during the gaza bombardment. Germany strikes again. Stats panel LoadingRead more...
Mystical Megapost (Botnets of all types) (Hosted by Ukraine Ukrainian Internet Names Center Ltd and Netherlands Maasdijk Worldstream)
As Mystical has now recently been banned from hackforums, I thought I would make an informative megapost of botnets he has or is currently using. Domains Bighecker.co 1212Mystic0801.info Sonic4us.com Sonic4me.com img196-imageshack.us rs-booter.com modtech360.info 307dice.com powerbot24.com img90-imageshack.com imageshells.com bighecks.net emails used for registration hlolgame@aim.com mikeydoc@hotmail.com #plug this into facebook to see his profile highroller098765@hotmail.com mikeshosting@yahoo.com bram.fadzulani@mail.comRead more...