Month: February 2013

f0001.info/f0010.info/thismynew1.info(ngrBot hosted by Czech Republic Zlin Fdcservers.net)

Resolved : [f0001.info] To [50.7.193.194] Resolved : [f0010.info] To [50.7.193.194] Resolved : [thismynew1.info] To [50.7.193.194] mom002.net not active now Server:   50.7.193.194:1887 Server Password: Username: jhdkutg Nickname: n{DE|XPa}jhdkutg Channel: #bon2 (Password: speedd) Channeltopic: :~pu hxxp://hotfile.com/dl/196250384/528b038/bonkapawes.exe f931d3eb10db2822e2f5d0b989e2a5b4 ~s -o ~s Download URLs hxxp://69.197.137.58/ (api.wipmania.com) hxxp://199.7.177.244/dl/196250388/7241731/avx.exe (hotfile.com) hxxp://74.120.9.239/get/dd7d65c3bbc12e445706a49c446988ac892a41d5/512e2c88/2/812b96beef6fea89/bb28b14/avx.exe (s251.hotfile.com) hxxp://199.7.177.244/dl/196250388/7241731/avx.exe (hotfile.com) hxxp://74.120.9.239/get/a1c05bb55ad6d37d36fec2886739a08919e1fd13/512e2cb6/2/812b96beef6fea89/bb28b14/avx.exe (s251.hotfile.com) hosting infos:http://whois.domaintools.com/50.7.193.194

www.yahgodz.com (Andromeda http botnet hosted by dataclub.biz)

Resolved www.yahgodz.com to 46.183.217.148 Server:  www.yahgodz.com Gate file:  /http/image.php Additional domains: bighecks.net/http/image.php (Missing gate file, hosted at worldstream.nl 217.23.4.155) sonic4us.ru/http/image.php (Pointed at 127.0.0.1) imageshells.com/admin/image.php (Missing gate file, hosted at worldstream.nl 217.23.4.107) All of these are mystical’s domains, used for various nefarious purposes in the past. A quick google shows that he’s been loading onto this

privategallerie.info (Andromeda http botnet hosted by vmbox.co)

Resolved privategallerie.info to 198.20.67.66 Server:  privategallerie.info Gate file:   /admin/hippo/image.php Bitcoin mining info:  http://pr3m1era_quio:mota@eu.triplemining.com:8344 A previously posted andromeda botnet had a similar folder path to the gate file.  Hosting infos: http://whois.domaintools.com/198.20.67.66

aeonhf.net (Smoke loader http botnet proxied by cloudflare)

Resolved aeonhf.net to  173.245.60.168, 173.245.61.168 (Cloudflare ips) Server:  aeonhf.net, Alternate domain:  aminserve.info (Currently has non-responsive nameservers) Gate file:  /admin/index.php This is the latest skid who uses cloudflare to help host his botnet. Maybe this time they’ll do something about it? Hosting infos: ecatel.info Edit: CloudFlare received your abuse report dated February 24, 2013 regarding: aeonhf.net

mikimouse.net (ngrbot irc botnet hosted by yisp.nl)

Resolved mikimouse.net to 46.182.107.35 Server:  mikimouse.net (Alternate domains mikimouse.org mikispace.org) Port:  1863 Server password:  jobs Channel:  #jobs Topic for #jobs is: Topic for #jobs set by h at Sat Feb 23 19:28:30 2013 This is the same bot, port and spreading method as a previously posted botnet. However that had been sinkholed so it appears

616design.info (Pony loader and Zeus banking malware hosted by fastit.net)

Resolved 616design.info to 80.82.222.106 Pony Server:  616design.info Gate file:  /forum/pony/gate.php This is by the same guy as this winlocker and andromeda bot. The server seems to be down at the moment, most likely due to zeus tracker posting the zeus bot I located on the same ip. Zeus Server:  oppspeedy.co.ua Gate file:  /forum/33/gate.php Config file: 

tommyslav.name (Ginemo winlocker hosted by justhost.in.ua)

Resolved tommyslav.name to 91.213.8.52 I saw Malekal tweet that someone was using an exploit kit on adf.ly to distribute andromeda. I had already posted the andromeda, and had suspected that it was the cracked version. I just entered the gate info into the builder, ran the build and watched it download this. Server:  tommyslav.name Gate

5.199.167.219 (Citadel banking malware hosted by balticservers.com)

Gate file:  5.199.167.219/mode.php Config droppers  (appear to be compromised sites) shadowsfromlight.com/wp-content/upgrade/file.php www.danainvestment.com/wp-content/upgrade/file.php gregsmission.org/wp-content/upgrade/file.php luna.pgnstudio.com/wp-content/upgrade/file.php On gregsmission.org WP-Sentinel seems to have failed to stop the initial compromise, but is now preventing the dropper from functioning. Sample is located here http://whois.domaintools.com/5.199.167.219

92mb samples for analysis

This package have alot of irc bots samples banking trojans linux bots samples are provided only for analysis purposes dont run them on your machine use vmware Source Source