Mystical Megapost (Botnets of all types) (Hosted by Ukraine Ukrainian Internet Names Center Ltd and Netherlands Maasdijk Worldstream)

As Mystical has now recently been banned from hackforums, I thought I would make an informative megapost of botnets he has or is currently using. Domains emails used for registration #plug this into facebook to see his profile (Insomnia ircbot hosted by United States Clarks Summit Volumedrive)

Resolved to Server: Port:  6654 Channel: #Insomnia Channel password: frosty * Topic for #Insomnia is: .up hxxps:// 449C6FB8390C7148B075A52EBEBAB4F5 * Topic for #Insomnia set by lucky at Thu Sep 06 22:08:10 2012 Botnick: {IT|XP-32a}uwryxvf While I was in the channel he downloaded a bitcoin miner Dextermania.exe  hxxp:// -u Dexter -p 19930924 Hosting (Athena ircbot hosted by Romania Voxility S.r.l.)

Still more Athena bots Resolved to Server:  Port: 34791 Password: 31337gAlAg23gnmbx331 Channel: #mafia Password: hellas  #mafia           31      [+smntVMCuTk]  Current Global Users: 31  Max: 269  Hosting infos: (Athena ircbot hosted by France Roubaix Ovh Systems)

Found more athena nets Resolved to Server: Port: 6667 Channel:  #kam  #kam             14      [+smntrVCT] Channel: #vanrikki Password: wiitasauce3991 #vanrikki        44      [+sntrVCTk]  Server is one of those used by I’m not sure why they used a no-ip for these bots, anyone can get that suspended easily. The servers host lots of skids, (Athena ircbot hosted by France Roubaix Ovh Systems)

Resolved to Resolved to Resolved to Server: Port: 6667 Channel:  #MuustaHF Channel password: hejij3cdp Opers:Ddos * [Ddos] (Ddos@I.Will.DDOS.Your.Ass): Ddos * [Ddos] is a registered nick * [Ddos] :Services for IRC Networks * [Ddos] idle 158:10:19, signon: Wed Aug 29 23:26:30 * [Ddos] End of WHOIS list. MuustaHF botnet hosted in United States Clifton Park Search Guide Inc)

Resolved : [] To [] Resolved : [] To [ 13] Resolved : [] To [ 13] Remote Host Port Number 1337 PASS google_cache1tfsg4.tmp NICK X[USA][XP-SP2]150351 USER 9092 “” “lol” :9092 JOIN #swarm swarm NICK {NEW}X[USA][XP-SP2]020911 USER 0441 “” “lol” :0441 NICK X[USA][XP-SP2]075732 USER 5218 “” “lol” :5218 hosting infos: botnet hosted in United Kingdom Vooservers Ltd)

Resolved : [] To [] Clients: I have 308 clients and 1 servers Local users: Current Local Users: 308 Max: 1 Global users: Current Global Users: 309 Max: 1105 Remote Host Port Number 7878 NICK [GSA]-274266 USER hhzegr 0 0 :[GSA]-274266 USERHOST [GSA]-274266 MODE [GSA]-274266 +xt JOIN #b imallowed2020 hosting infos:

Paypal Phishing Script hosted in Brazil Sao Paulo Telemar Norte Leste S.a.

I got this email today in my spam folder: Dear valued PayPal Customer, We’re constantly working to make PayPal safer, simpler and more convenient for our customers. This means that from time to time we have to verify and keep up to date your account. It has come to our attention that your PayPal account botnet hosted in Turkey Balikesir Turk Telekomunikasyon Anonim Sirketi)

Resolved : [] To [] Server: Nick: new[iRooT-XP-AUT]990453 Username: 9904 Server Pass: KCA Joined Channel: #XXX with Password KCA Channel Topic for Channel #XXX: “.dwl .lan .html” Private Message to Channel #XXX: “^C04[HTML Infector]: ^C09Html Files Infected!” Private Message to Channel #XXX: “[Download]: Executed Successfully” Private Message to Channel #XXX: “^C04[LAN Spread]: ^C09Spreading (ngrbot hosted by Romania Voxility) resolved to Server: Port: 1090 Password: romeo Channel: ##str Channel Password: romeo Channel topic: * Topic for ##str is: *mdns * Topic for ##str set by drek0 at Wed Aug 29 11:22:21 2012 Bot sample from Hosting infos: