Resolved z.7z.lt to 216.66.72.159 Server: z.7z.lt Gate file: /ad/image.php Plugins (currently 404): Formgrabber crap.leet.la/ad/f.task Rootkit: crap.leet.la/ad/r.task Socks: crap.leet.la/ad/s.task Hosting infos: http://whois.domaintools.com/216.66.72.159
mal-labs.asia (Andromeda http botnet hosted by United States Denver Fdcservers.net)
Resolved mal-labs.asia to 37.221.170.238 Server: mal-labs.asia Gate file: image.php Plugins: Rootkit mal-labs.asia/plugins/r.pack Formgrabber mal-labs.asia/plugins/f.pack Gate file: fg.php This is the file Paradoxun was running on his bots (cachke.exe). Hosting infos: http://whois.domaintools.com/37.221.170.238
199.119.226.75 (Barracuda irc botnet hosted by France Paris Dnsslave.com)
Server: 199.119.226.75 Port: 6667 Channel: #Aryan Oper: [Paradoxun] (Paradoxun@rofl12345): … [Paradoxun] ~#Aryan [Paradoxun] 199.119.226.75 :Lee’s [Paradoxun] idle 00:03:03, signon: Sat Nov 24 13:31:20 [Paradoxun] End of WHOIS list. You may remember Paradoxun from here or here It looks like he may have some aryan bots in the channel as well. Paradoxun .botkill -s ParadoxunRead more...
f0001.info (ngrbot irc botnet hosted by United States Chicago Steadfast Networks)
Resolved f0001.info to 208.117.34.204, 208.117.34.20 Server: f0001.info Port: 1887 Server password: leonis Channel: #pool Channel password: leonis * Topic for #pool is: ~pu hxxp://hotfile.com/dl/180565282/bc43943/queriendo.exe 3ea04ecdc19fad85fdf2eb15ba20cc9a ~s -o ~s * Topic for #pool set by google at Fri Nov 23 10:26:12 2012 Channel: #XP * Topic for #xp is: ~dw hxxp://hotfile.com/dl/180565391/ee7fa0b/ccc.exe 55c6bf0eac7a786de324c7f34ef6db12 ~dw hxxp://hotfile.com/dl/180565492/0dd28c1/10.exe ee2dcac3f9f630c69dd750cc6abc5b8a *Read more...
lagner.taess.net (Zeus banking malware hosted by Germany Frankfurt Am Main Ovh Gmbh)
Hmm, I’m a german skid who tried to run zeus on a free host. The free hosting account was suspended after it showed up on zeus tracker. Am I going to: A) Move on with my life and leave malware behind B) Get a bulletproof domain and hosting and run zeus from there C) ThrowRead more...
apocsvr.info (Andromeda http malware hosted by vHostLayer.com)
Server: apocsvr.info Gate file: /andro/image.php This is just the standard cracked andro, but I noticed something interesting about it. The domain is whoisguard protected, which is often used by skids who don’t want to spend 30 seconds making up fake info for the whois. However I noticed something in the assembly info of theRead more...
smartnet.taess.net (Zeus banking malware and other crap hosted by Germany Frankfurt Am Main Ovh Gmbh)
Resolved smartnet.taess.net to 94.23.160.203 Zeus Server: smartnet.taess.net Gate file: smartnet.taess.net/directory/gate.php Config file: smartnet.taess.net/directory/config.bin Hosting zeus on a free host seems like a great idea. Bonus “secure soft” bot from the same guy Server: lagner.taess.net Gate file: /Vote%20Gateway%20%20%20blabla%20%20%20Metin2%20P-Server%20Liste_files/Admin/acces/update/connect.php He was using this to ddos israeli sites during the gaza bombardment. Germany strikes again. Stats panel LoadingRead more...
94mb samples for analysis purposes
This package have alot of banking trojans,worms etc have fun analysing them Source
37.221.171.139 (ngr irc botnet hosted by Germany Frankfurt Am Main Voxility S.r.l.)
Server: 37.221.171.139 Port: 1234 Server password: secret Channel: #nigg Channel password: secret Topic for #nigg is: .slow 80.82.64.21 80 .slow 77.81.243.156 80 .slow 199.59.166.134 80 .slow 77.81.243.156 80 Topic for #nigg set by pb at Wed Nov 21 14:38:45 2012 Oper: pb!abuse@boss Checking out the ips it looks like he is attacking carding/dumps websites swiped.suRead more...
Multiple barracuda http bots hosted by Russian Federation Moscow Pallada Web Service Llc
This is the new ip of Tropical Paradise’s shared hosting for his shitty .net http bot. Domain: anet.h4ck.me Gate file: /endless14/bot.php Domain: deamonscentral.no-ip.info Gate file: /phpadmin141/bot.php Domain: fofogogo23http.no-ip.biz Gate file: /liquified61/bot.php Domain: barracudasecurity.tk Gate file: bot.php It looks like he’s finally figured out that leaving the panel in the root directory is a badRead more...