Resolved mirror.serverhalflife.com to 188.8.131.52
Pandora ddos bot
Gate file: /pando/?u=17b6n82405v5ycal3ks4bb7i655e088m
Other crap on the server
Microworm panel: mirror.serverhalflife.com/micro/
The password is “root”
Files are located at hxxp://mirror.serverhalflife.com/files/
blackdra.exe is blackshades
Connects to own3d-private.no-ip.org:4010
Blackshades downloads more of the files
x0x0.2184.108.40.206.0.2.15.0.0.0.Federal-Agent.FBI-PC.1.Microsoft Windows XP .5220.127.116.11.58802054.0.new.November 4, 2012.Hide My Ass Vpn FBI access panel (Welcome Agent Hogue) [Google Chrome] x74.64.e4e497e1ec0a03c3e5e49ab8868bdc755b520583cbf4e31605a016d82147ec63x25x18.104.22.168..0.0x49.49. hxxp://mirror.servehalflife.com/files/micro.exe.2x49.49.hxxp://mirror.servehalflife.com/files/steal.exe.2x49.52. hxxp://mirror.servehalflife.com/files/blackdra.exe.2x105x74.7.UNKNOWNx53.1.0x114.1.0x53
Hosting infos: http://whois.domaintools.com/22.214.171.124
Anonymous - November 4, 2012 at 9:28 pm
Wow, Hide My Ass VPN. Someone didn't learn anything from LulzSec. lol
Anonymous - November 5, 2012 at 5:11 pm
Hey. Kind of as a reader, got any post of how you are finding all of the bots? I have started running a few honeypots myself but from the findings it's mostly old stuff or "backnoice".
Any tips would be awsome
I_Post_Ur_Info - November 7, 2012 at 2:07 pm
You won't find that much by running listening honeypots, as no new bots are doing any scanning that I know of. Check out http://support.clean-mx.de/clean-mx/viruses.php, and filter for alive responses and %exe in the url. Most of it will be adware or zeus, but some other stuff will show up. Sniff it in vbox and see where it leads.
Most skid botnets are incredibly incestuous, so once you start listening in a channel you'll find plenty of others.
Anonymous - November 7, 2012 at 5:02 pm
Thanks alot for that answer 🙂
that the way i been trying to do it before. but i never had a good source for samples, That's the reason i started the honeypot.
This will be fun!