dinosaur.no-ip.org (Andromeda and barracuda http botnets hosted by Russian Federation Moscow Pallada Web Service Llc)

Resolved dinosaur.no-ip.org to 37.0.123.119

I’ve been watching the barracuda for a while, and when I saw it load the andromeda I decided to post them both.

Andromeda
Server: dinosaur.no-ip.org
Gate file: /andr/image.php
Plugins
Rootkit: dinosaur.no-ip.org/andr/r.pack
Socks: dinosaur.no-ip.org/andr/s.pack
Formgrabber: dinosaur.no-ip.org/andr/f.pack
Gate file: dinosaur.no-ip.org/andr/fg.php

Barracuda http
Server: dinosaur.no-ip.org
Gate file: dinosaur.no-ip.org/drgordon512/bot.php

Here are some logs showing what the barracuda was doing.

download hxxp://whitehat.su/bc4rl1.exe bc4rl1re.exe
download hxxp://whitehat.su/newe.exe as.exe
download hxxp://whitehat.su/bcformine.exe winhost.exe
download hxxp://whitehat.su/bcformine.exe updater.exe
slowloris 217.19.187.195 10000 50
slowloris 217.19.187.195 1000 50
botkill
download hxxp://whitehat.su/bcforus1.exe winhostr23.exe
slowloris mafiaspillet.no 1000 100
download hxxp://whitehat.su/bc4rl1r3.exe bc4rl1r3.exe
downloadupdate hxxp://whitehat.su/nobkdrgordon.exe nobkdr.exe
download hxxp://whitehat.su/bc4rl1.exe runl.exe
download hxxp://whitehat.su/bitcointest1.exe bit32.exe
slowloris 217.19.187.195 5000 50
download hxxp://whitehat.su/bcfinal.exe rundl.exe
downloadupdate hxxp://whitehat.su/nobkdrgordon.exe updater.exe
download hxxp://whitehat.su/bc4rl1.exe bc4rl12.exe
stop
download hxxp://whitehat.su/strongerminer.exe winhostr32.exe
download hxxp://whitehat.su/bcforus1.exe bcudate.exe
startup bcformine.exe *booter*
download hxxp://whitehat.su/bcforus1.exe bmine
download hxxp://whitehat.su/bc4rl1.exe bc4rl1.exe
download hxxp://whitehat.su/newone.exe newone.exe
slowloris 217.19.187.195 120 50
slowloris 82.165.83.70 3000 50
slowloris 67.205.87.145 120 50
download hxxp://whitehat.su/KLu7cHzf_bin.exe 432432.exe
download hxxps://dl.dropbox.com/s/c688yzuocf41d2n/nox.exe nox.exe
download hxxp://ge.tt/api/1/files/1c9i5AS/0/blob?download 43423423.exe
filezilla
tcpflood 193.104.68.22 27015 120 100
stop
download hxxp://whitehat.su/11111111.exe udphost.exe
download hxxp://whitehat.su/Java_32.exe java_32.exe
filezilla
download hxxps://dl.dropbox.com/u/11386186/CG%201.04/11111111.exe fag0r.exe
slowloris 92.51.189.10 120 70
slowloris 217.19.187.195 100000 50
botkill

Hosting infos: http://whois.domaintools.com/37.0.123.119

Categories: Uncategorized

Tags: Andromeda Botbarracuda http

Previous postboat.trixi-diablolik.com(irc botnet hosted in United States Baltimore Gandi Us Inc.)

Next postnew.najd.us (irc botnet hosted by Finland Espoo Csc – Tieteen Tietotekniikan Keskus Oy)

shinyhosting.ws.gy(Andromeda Bot hosted in United States Amsterdam Hosting Servers)

xylox.su (Betabot and Andromeda http botnets hosted by Panamaserver.com)

scum1904life.com (Andromeda http botnet hosted by 2×4.ru)