Resolved beerpigfarm.ru to 220.127.116.11
I found a file on h4r3’s latest andromeda that downloaded a bunch of crap from this site.
hxxp://beerpigfarm.ru/smo Smoke loader, posted here
hxxp://beerpigfarm.ru/min is a bitcoin miner, uses 50btc
Mining info: http://169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi:email@example.com:8332
Since he’s using no account mode we can snoop on his mining by plugging in his address on the 50btc website: https://50btc.com/api/169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi
By plugging the address into blockchain.info we can see how much he has made so far and where he has spent it: http://blockchain.info/address/169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi
Total Received: 5.07081977 BTC
That works out to $67.7 based on current prices. The first input into the account was on 2012-11-30, so it works out to about $4.2 dollars a day. Pretty shitty mining.
hxxp://beerpigfarm.ru/sma This is zeroaccess, getting to be a popular affilate choice. snk installs this as well.
hxxp://beerpigfarm.ru/gig More affilate crap, not sure what botnet it is.
Finally the file reports in at beerpigfarm.ru/ws.php?x= with some long hash that I’m assuming is unique to each machine.
Hosting infos: http://whois.domaintools.com/18.104.22.168
EDIT: New bitcoin mining infos: http://1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX:X@mining.eligius.st:8337
Stats link: http://eligius.st/~wizkid057/newstats/userstats.php/1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
Address info: http://blockchain.info/address/1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
EDIT: The domain is no longer being used, now it’s just an IP address. hxxp://22.214.171.124. The same filenames are used.