Month: April 2013

fahfasd.pw (Andromeda http botnet hosted by xeneurope.com)

Resolved fahfasd.pw to 109.235.51.249 Server:  fahfasd.pw Gate file:  /Panel/image.php Plugins Rootkit:  hxxp://fahfasd.pw/Panel/plugins/r.pack Socks:  hxxp://fahfasd.pw/Panel/plugins/s.pack Formgrabber:  hxxp://fahfasd.pw/Panel/plugins/f.pack   Gate file:  /Panel/fg.php Hosting infos: http://whois.domaintools.com/109.235.51.249

f.eastmoon.pl(ngrBot hosted in Germany Karlsruhe 1&1 Internet Ag)

Resolved : [f.eastmoon.pl] To [217.160.173.154]Resolved : [f.eastmoon.pl] To [74.208.230.53] Resolved : [f.eastmoon.pl] To [188.138.89.106]Resolved : [f.eastmoon.pl] To [85.25.86.198]Resolved : [f.eastmoon.pl] To [213.165.71.238] Server: 213.165.71.238:9000Server Password:Username: cemomcbNickname: n{DEU-XPx86a}rxibehmdChannel: #sp (Password: yap)Channeltopic: :!wBHv0JQ4frCCAfQ1ausiPUf+8V+7lwXPGIyAUdmor0CO5CSlmlrNT0sLhs1byIa5Qf+YnMhtBmCBtEOb6hI= Server: 188.138.89.106:9000Server Password:Username: pqellooNickname: {DEU-XPx86a}pqelloovChannel: #sp (Password: yap)Channeltopic: :!wBHv0JQ4frCCAfQ1ausiPUf+8V+7lwXPGIyAUdmor0CO5CSlmlrNT0sLhs1byIa5Qf+YnMhtBmCBtEOb6hI= Samples: hxxp://hotfile.com/dl/206650590/b80e8ea/spieoaiuasf.html hxxp://199.7.177.236/dl/206565430/6f9ee70/we71fw1fe6320.html Thanx to aLiSs for samples and for finding this net hosting infos:

solutionswiki.com (Betabot http botnet hosted by alibabahost.com)

Resolved solutionswiki.com to 109.163.233.107 Server:  solutionswiki.com Port:  4137 Gate file:  /system/order.php I don’t know why betabot owners keep putting their http servers on ports other than 80. Seems pretty dumb. I guess you can only expect so much from a HF bot and it’s owners. Hosting infos: http://whois.domaintools.com/109.163.233.107

Power Loader(http malware hosted in Luxembourg Steinsel Root Sa)

HTTP Requests: hxxp://94.242.250.178/daol/asidfk11.dat?wv=51&bt=32 hxxp://94.242.250.178/daol/oadl.php hxxp://wickedreport.com/images/2009/05/naughty-elephant.jpg Sample: hxxp://tbsnpd.best.volyn.ua/dlimage11.php hxxp://94.242.250.178/daol/asidfk11.dat Hosting infos: http://whois.domaintools.com/94.242.250.178

btcguild.com(Bitcoin Miner botnet hosted in United States Dallas Ebl Global Networks Inc.)

URL: hxxp://btcguild.com:8332/   hxxp://btcguild.com:8332 -u chakan_1 -p 123 hxxp://btcguild.com:8332 -u graskla_1 -p 123 DATA: POST / HTTP/1.1 Authorization: Basic Y2hha2FuXzE6MTIz Content-Length: 43 User-Agent: Ufasoft bitcoin-miner/0.20 (Windows NT XP 5.1.2600 Service Pack 3) Host: btcguild.com:8332 Cache-Control: no-cache {“method”: “getwork”, “params”: [], “id”:0} Actions Detected: Creates autorun records Injects code into other processes Patches system files Samples:

hardstunt.com (Andromeda http botnet proxied by cloudflare.com)

Resolved hardstunt.com to 108.162.198.113, 108.162.199.113 Server:  hardstunt.com Gate file:  /blob/image.php Hosting a botnet behind cloudflare seems like a bad idea.Lets see if I can get this blocked. EDIT: CloudFlare received your malware report dated April 28, 2013 regarding: hardstunt.com Please be aware CloudFlare is a network provider offering a reverse proxy, pass-through security service. We