chat.barracudasec.com (Barracuda ircbotnet hosted by Luxembourg Luxembourg Root Sa)

Resolved chat.barracudasec.com to 94.242.204.181 Server: chat.barracudasec.com Ports: 1337,4667 (bots connect on 4667) Channel: #xxploasion Channel passoword: Rebels2012 Channel: #hflove Channel passoword: inspiron Connects using the no-ip hflove.no-ip.org Channel: #gavin0hanson Channel password: hanson911  Channel          Users   Topic  #xxploasion      4       [+sntu]  #hflove          45      [+s]  #gavin0hanson    53      [+sntu]  This irc server is similar to cmjc.whhcd.info in that is it

planetstat2324.su (smoke loader http bot hosted by Poland Artnet Spolka Z Ograniczona Odpowiedzialnoscia)

This is the http loader for the gold installs ppi program. Resolved planetstat2324.su to 178.255.43.67 Server: planetstat2324.su Gate file: /gamenew/index.php Downloads files from ap2producoes.com/images/ minsabdedf.exe bitcoin miner pool info: http://hernyoooo@ymail.com:Bazdmeg1@pool.50btc.com:8332 ginamdasm.exe The file botnet owners are given installs smoke from hxxp://oroihfdbbnennm.in/update/0pdat3.exe Install statistics are then recorded by oroihfdbbnennm.in/activation.php Using the format  activation.php?productid=(userid)&serial=(long string)  Hosting infos:

venus.timeinfo.pl (ngrbot irc botnet hosted by 1&1 Internet Ag)

Note: New domains are at the bottom of the post This is the skype “worm” that is in the news right now Articles: http://www.techspot.com/news/50443-dorkbot-worm-spreading-via-skype-installs-nasty-ransomware.html http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-installs-ransomware/ http://techcrunch.com/2012/10/08/ransomware-worm-now-spreading-on-skype/ http://www.forbes.com/sites/adriankingsleyhughes/2012/10/08/ransomware-worm-spreading-via-skype/ http://countermeasures.trendmicro.eu/skype-worm-spreading-fast/ Resolved venus.timeinfo.pl to 63.223.107.62, 176.9.192.131, 213.165.71.142, 217.160.108.147, 213.165.71.153, 87.106.98.157, 74.208.112.178 Server: venus.timeinfo.pl Port: 1863 Password: 24r34t SSL is needed to connect, accept the invalid certificate Authhost: bossman

lucasbaby.no-ip.info (Irc botnets hosted by Canada Montreal Ovh Hosting Inc.)

Resolved lucasbaby.no-ip.info to 142.4.203.95 Server: lucasbaby.no-ip.info Port: 6969 Channel: #karmie# Channel password: 1234 Nick: [USA|XP|gjetth] Topic for #karmie# is: @dl 1 hxxp://dl.dropbox.com/u/81040225/raw_out.exe Topic for #karmie# set by God at Sun Oct 07 13:42:09 2012 Opers: [Boss] (Anxiety@HaZe.GoV): Anxiety [Boss] ~#karmie# [Boss] irc.HaZe.GoV :HaZeNet [Boss] idle 12:09:34, signon: Mon Oct 08 00:16:30 [Boss] End of WHOIS

123.gets-it.net (Ganja ircbot hosted by United States St. Louis Hosting Solutions International Inc)

Resolved 123.gets-it.net to 69.64.62.151 Server: 123.gets-it.net Port: 6697 * Current Local Users: 34  Max: 40 * Current Global Users: 34  Max: 40 Channel: #Ganja * Topic for #Ganja is: DO NOT USE THE SPEEDTEST COMMAND! * Topic for #Ganja set by Anxiety at Sat Oct 06 02:54:30 2012 Opers: * [Anxiety] (Anxiety@Test-5D47311C.bchsia.telus.net): Anxiety * [Anxiety]

50.7.239.180 (Rage bots hosted by Czech Republic Zlin Fdcservers.net)

Server: 50.7.239.180 Port: 7777 Channel: #rage * Topic for #rage is: .b0tk1ller 30 .p2p .rarworm .xpl 75 1 75.x.x.x 3 1 76.x.x.x * Topic for #rage set by cyberthrill at Wed Oct 03 13:55:03 2012 Nick format: L0v3|fQrHrWbarp Opers: * [BGChaser] (Ares@sab-5E6EA00F.telnet.bg): Ares * [BGChaser] @#rinfo @#binfo #rscan @#rage @#bkiller #b * [BGChaser] 50.7.239.180 :Server

casinovegas.mobi (voip scanning botnet hosted by United States Missoula Sharktech)

I found this recently and though it was interesting enough to post. It’s a http controlled botnet used to scan for voip servers. Malware actionsTells the C&C server it has installed208.98.52.163/90/getip.php?action=liveRequests an ip segement to scan208.98.52.163/90/getip.php?action=getDownloads and installs python (Needed for the scanner)hxxp://208.98.52.163/90/files/python-2.7.2.msiIP range to be scanned is confirmed208.98.52.163/90/insert.php?action=online&computer=USER-PC&range=95.211.169.45-95.211.199.255Unrar utility is downloadedhxxp://208.98.52.163/90/files/UnRAR.exeScanner is downloadedhxxp://208.98.52.163/90/files/pack.rarThe malware

ns3.captain-packet.net(irc botnet hosted in United States Washington Psinet Inc).

Resolved : [ns3.captain-packet.net] To [154.35.64.24] Remote Host                 Port Number ns3.captain-packet.net   3900    PASS zomg NICK banzlUSER ypawhj 0 0 :banzlUSERHOST banzlMODE banzl -x+iBJOIN ###bye### byeeeeeNICK pfyfxdUSER bagjsml 0 0 :pfyfxdUSERHOST pfyfxdMODE pfyfxd -x+iBNICK jyptraxUSER xncqm 0 0 :jyptraxUSERHOST jyptraxMODE jyptrax -x+iBNICK peajiUSER etngec 0 0 :peajiUSERHOST