uokmate.info (Insomnia irc botnet hosted by volumedrive.com)

Resolved uokmate.info to 199.115.228.38 Server:   uokmate.info Port:  8527 * There are 1 users and 114 invisible on 1 servers* 3 :channels formed Channel:  #Insomnia  #Insomnia        103     [+sntu] Hosting infos: http://whois.domaintools.com/199.115.228.38

76.191.97.100 (Multiple http botnets hosted by sentris.com)

Andromeda Server:   76.191.97.100 Gate file:  /andro/image.php Plugins Rootkit:  http://76.191.97.100/andro/r.pack Socks:  http://76.191.97.100/andro/s.pack Formgrabber:  http://76.191.97.100/andro/f.pack   Gate file:  /andro/fg.php Smoke loader Server:   76.191.97.100 Gate file:  /smoke/index.php Pony Server:  76.191.97.100 Gate file:  /p/gate.php POE stealer Server:  76.191.97.100 Gate file /poe/index.php Login details are admin:admin Hosting infos: http://whois.domaintools.com/76.191.97.100 EDIT: I see he’s trying bitcoin mining Mining infos:

95.58.254.79(Pony hosted in Kazakhstan Almaty Jsc Kazakhtelecom)

Pony Gate:95.58.254.79/p/gate.php Pony admin login:http://95.58.254.79/p/admin.php Pony-legit-packed s.exe inside pony package is Autoiframer Bot, Version 1.0 here some strings from the sample: File: ZR1.exe Size: 193552 Bytes MD5: A889A2ADAFEFF5A16AFF93DD668B763C Packer: File not found C:peid.exe File Properties: CompanyName FileDescription FileVersion InternalName LegalCopyright OriginalFilename ProductName ProductVersion Exploit Signatures: ————————————————————————— Scanning for 19 signatures Scan Complete: 212Kb in 0,016

64.120.239.219(ngrBot hosted in United States Scranton Network Operations Center Inc.)

C&C Server: 64.120.239.219:1887 Server Password: Username: fbidqck Nickname: n{DE|XPa}fbidqck Channel: #pool (Password: leonis)  Channeltopic: :~pu hxxp://www.sendspace.com/pro/dl/3qtgh8 da611193656522f073e0e64c8a65969a -r Downloads this file wich is another ngrbotnet:hxxp://69.31.136.33/dlpro/cee0ddc1c1f7eb6a248759eaf0f4cc45/50d9e2b9/3qtgh8/bonbin.exe sample was found by our turkish kebap friend aLiSs hosting infos: http://whois.domaintools.com/64.120.239.219

google-analystic-356.org (Carperb banking malware hosted by fartingghost.com)

Resolved google-analystic-356.org to 91.231.156.125 Server:   google-analystic-356.org Gate file:  Not sure how carperb works for this, it seems to just post to random strings with random filetypes. You can see those here Backup domains: google-analystic-594.org google-analystic-462.pro  Neither of these has been registered yet, register them, ddos the others and steal some bots today. (won’t actually

srv5050.asia/pro/in (snk asper mod hosted by United Kingdom Birmingham Compuweb Communications Services Limited)

Resolved srv5050.asia to 62.255.175.157 Resolved srv5050.pro to 62.255.175.157 This is snk’s new set of domains for his bot. Server:  srv5050.asia (backup domains are srv5050.pro and srv5050.in) Port:  5050 Channel:  #new * Topic for #new is: .j #gt .d /100/97/111/124/49/59/47/127/124/127/58/64/116/118/98/124/102/100/48/127/101/100/57/107/112/38/96/93/121/ * Topic for #new set by x at Sun Dec 23 16:33:45 2012 Channel:  #gt *

afkm.in (snk asper mod hosted by United Kingdom Birmingham Compuweb Communications Services Limited)

Resolved afkm.in to 62.255.175.157 snk is cycling through his old domains, trying to move the bots onto his new ones. Server:   62.255.175.157 Port:  5050 Channel:  #$ * Topic for #$ is: .d /100/97/111/124/49/59/47/107/104/97/118/79/99/123/46/126/119/116/49/115/46/117/110/105/* Topic for #$ set by x at Sun Dec 23 14:19:00 2012 Channel:  #l * Topic for #l is: .d /100/97/111/124/49/59/47/105/111/111/102/66/103/119/105/115/118/101/109/120/103/126/56/111/112/38/112/78/51/100/111/62/70/112/98/*

a.loader.ws (andromeda http botnet and multi lock winlocker hosted by koddos.net)

Resolved a.loader.ws to 198.144.121.130 Andromeda Server:  a.loader.ws Gate file:  /ad/image.php Plugins Rootkit:  http://a.loader.ws/ad/r.pack Socks:  http://a.loader.ws/ad/s.pack Formgrabber:  http://a.loader.ws/ad/f.pack   Gate file:  /ad/fg.php Multilocker Server:  a.loader.ws Gate file:  /l/lending/tds.php UPDATE: New domain used from the hecker: Resolved : [j87gyuh7uh.org] To [37.143.12.145] the rest is same files paths etc from same guy 2 domains not activated yet j87gyuh7uh.org

gwassss.com (Insomnia irc botnet hosted by volumedrive.com)

Resolved gwassss.com to 199.115.230.235 Server:  199.115.230.235 Port:   8527 Channel:  #Insomnia * Topic for #Insomnia is: /b/ * Topic for #Insomnia set by lucky at Sat Dec 22 10:24:28 2012 Oper: [{AR|XP-32a}yknranh] (lucky@Vandernet): … [{AR|XP-32a}yknranh] @#Insomnia [{AR|XP-32a}yknranh] www.Privatenet.gov :im an orphan [{AR|XP-32a}yknranh] idle 00:01:45, signon: Sun Dec 23 16:54:16[{AR|XP-32a}yknranh] End of WHOIS list. Hosting infos: