Month: June 2012

chatme.redirectme.net(irc botnet hosted in Romania Voxility S.r.l.)

Resolved : [chatme.redirectme.net] To [109.163.229.26] Remote Host Port Number 109.163.229.26 5555 Clients: I have 54 clients and 0 servers Local users: Current Local Users: 54 Max: 176 Global users: Current Global Users: 54 Max: 82 NICK New{US-XP-x86}6447253 USER 6447253 “” “6447253” :6447253 MODE New{US-XP-x86}6447253 +iMm JOIN #infected private PONG :7E4C6516 hosting infos: http://whois.domaintools.com/109.163.229.26

17 RATs (Hosted by home connections)

I’ve been collecting and scanning all of the files that I see on Digital’s IRC, and I’ve found that most of them are RATs that people have sent to Digital for i4i. They’re not worth a blog post so they tend to build up. Since Vaporizer (The other guy on the IRC, who is really

cuzcoxxx.ru(ngrBot hosted in United States Walnut Psychz Networks)

Domains used to control bots: crioamazonas.ru not active cuzcoxxx.ru 173.224.219.197 port 6068 irc server hisexoxxx.ru not active mlrioamazonas.ru not active rioamazonas.ru not active sexoxxx.ru not active sfsexoxxx.ru not active sample sample u can find channels or more by checking the sample hosting infos: http://whois.domaintools.com/173.224.219.197

W32/BitCoinMiner.D(hosted in United States Seattle Amazon.com Inc.)

Resolved : [mining.eligius.st] To [23.21.225.111] Control Panel: http://mining.eligius.st New Opened files which were contained within Memory File $Extend$ObjId File Documents and SettingsAdministratorApplication Data File Documents and SettingsAdministratorLocal SettingsApplication DataMicrosoftPortable Devices File System Volume Information_restore{307E7B41-0455-430D-B7AD-0176BCF9FE0E}RP21change.log File System Volume Informationtracking.log File WINDOWSTempPerflib_Perfdata_57c.dat File trkwks Potentially Malicious Changes in NTUSER.DAT File (This output only contains plain text entries,

http://sonic4me.com/ (Andromeda http malware hosted in Amsterdam worldstream.nl)

Location given by the anonymous friend at http://www.exposedbotnets.com/2012/06/malware-samples-and-irc-logs.html?showComment=1339497611124#c584928102134788577 login: http://sonic4me.com/login/ Panel: http://sonic4me.com/panel/index.php seems to be 404 now. Sample  Sample link 1   Sample link 2 Hosting infos: http://whois.domaintools.com/217.23.10.217 

128.204.202.152 (Insomnia bot hosted in United Kingdom dotvps.net)

Server Port 128.204.202.152 6667 Channel #Fanta Password Nick {RU|W7-32u}pugpidz  I have 100 clients and 0 servers* Current Local Users: 100  Max: 683* Current Global Users: 100  Max: 683  Channel          Users   Topic #Fanta           101     [+sntu] d3FiQ3FNTzB3NnZEdWc9PXw2NjYxNzEzNA== * Topic for #Fanta is: d3FiQ3FNTzB3NnZEdWc9PXw2NjYxNzEzNA==* Topic for #Fanta set by White at Tue May 22 08:41:10 2012  * [fanta] (austintyle@fanta123):

fearz14.no-ip.biz (Insomnia bot hosted in Amsterdam Netrouting.com)

Server Port fearz14.no-ip.biz 6667 * I have 210 clients and 0 servers * Current Local Users: 210  Max: 423 * Current Global Users: 210  Max: 343 Channels: #XBL, #XBL# nick: {US|W7-32u}fhzxrmu This botnet is used for xbox booting, lots of udp attacks on port 3074 Channel          Users   Topic #XBL#            99      [+sntu] http://directlink.tv/f/a285bc_svchost.exe #XBL             91      [+sntu] https://dl.dropbox.com/u/73000180/RAZOR.exe *

vps.callofduty.im (Insomnia bot hosted in Romania NozHost.com)

vps.callofduty.im (109.163.229.5) * I have 144 clients and 0 servers * Current Local Users: 144  Max: 803 * Current Global Users: 144  Max: 438 IRC Server HOST, PORT:  vps.callofduty.im 6667 Channels: #nulled null3d    #bv1 fuckyou11    Channel          Users   Topic #bv1             95      [+sntu]  #nulled          70      [+sntu]  Nickname:{FR|W7-64u}hodtvhz Owned by Techno from HF  Sample link 1 Sample

Malware samples and IRC logs

Here are some 200+ virus files and some irc logs This is from a while ago, so some of the ircs have been shut down or already posted by now. Download here read me.txt Some more info zain in #zain is n1gthwalk3r786 on Hackforums Bv1 was spreading via a blackhole exploit kit, see http://urlquery.net/report.php?id=48516, http://wepawet.iseclab.org/view.php?hash=3a7fdca5b7fccb7ada9704508e8f33cd&t=1335844374&type=js