Resolved beerpigfarm.ru to 46.166.130.216
I found a file on h4r3’s latest andromeda that downloaded a bunch of crap from this site.
hxxp://beerpigfarm.ru/smo Smoke loader, posted here
hxxp://beerpigfarm.ru/min is a bitcoin miner, uses 50btc
Mining info: http://169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi:x@pool.50btc.com:8332
Since he’s using no account mode we can snoop on his mining by plugging in his address on the 50btc website: https://50btc.com/api/169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi
"hash_rate":"2920.58"
By plugging the address into blockchain.info we can see how much he has made so far and where he has spent it: http://blockchain.info/address/169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi
Total Received: 5.07081977 BTC
That works out to $67.7 based on current prices. The first input into the account was on 2012-11-30, so it works out to about $4.2 dollars a day. Pretty shitty mining.
hxxp://beerpigfarm.ru/sma This is zeroaccess, getting to be a popular affilate choice. snk installs this as well.
hxxp://beerpigfarm.ru/gig More affilate crap, not sure what botnet it is.
Finally the file reports in at beerpigfarm.ru/ws.php?x= with some long hash that I’m assuming is unique to each machine.
Hosting infos: http://whois.domaintools.com/46.166.130.216
EDIT: New bitcoin mining infos: http://1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX:X@mining.eligius.st:8337
Stats link: http://eligius.st/~wizkid057/newstats/userstats.php/1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
Address info: http://blockchain.info/address/1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
EDIT: The domain is no longer being used, now it’s just an IP address. hxxp://46.166.177.120. The same filenames are used.
Anonymous - December 16, 2012 at 5:39 am
snk is this user:
http://www.hackforums.net/member.php?action=profile&uid=275905
Anonymous - July 24, 2013 at 1:00 am
and now that fag is making money http://blockchain.info/address/1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
Hope he/she ends in jail