fahfasd.pw (Andromeda http botnet hosted by xeneurope.com)

Resolved fahfasd.pw to Server:  fahfasd.pw Gate file:  /Panel/image.php Plugins Rootkit:  hxxp://fahfasd.pw/Panel/plugins/r.pack Socks:  hxxp://fahfasd.pw/Panel/plugins/s.pack Formgrabber:  hxxp://fahfasd.pw/Panel/plugins/f.pack   Gate file:  /Panel/fg.php Hosting infos: http://whois.domaintools.com/

f.eastmoon.pl(ngrBot hosted in Germany Karlsruhe 1&1 Internet Ag)

Resolved : [f.eastmoon.pl] To []Resolved : [f.eastmoon.pl] To [] Resolved : [f.eastmoon.pl] To []Resolved : [f.eastmoon.pl] To []Resolved : [f.eastmoon.pl] To [] Server: Password:Username: cemomcbNickname: n{DEU-XPx86a}rxibehmdChannel: #sp (Password: yap)Channeltopic: :!wBHv0JQ4frCCAfQ1ausiPUf+8V+7lwXPGIyAUdmor0CO5CSlmlrNT0sLhs1byIa5Qf+YnMhtBmCBtEOb6hI= Server: Password:Username: pqellooNickname: {DEU-XPx86a}pqelloovChannel: #sp (Password: yap)Channeltopic: :!wBHv0JQ4frCCAfQ1ausiPUf+8V+7lwXPGIyAUdmor0CO5CSlmlrNT0sLhs1byIa5Qf+YnMhtBmCBtEOb6hI= Samples: hxxp://hotfile.com/dl/206650590/b80e8ea/spieoaiuasf.html hxxp:// Thanx to aLiSs for samples and for finding this net hosting infos:

solutionswiki.com (Betabot http botnet hosted by alibabahost.com)

Resolved solutionswiki.com to Server:  solutionswiki.com Port:  4137 Gate file:  /system/order.php I don’t know why betabot owners keep putting their http servers on ports other than 80. Seems pretty dumb. I guess you can only expect so much from a HF bot and it’s owners. Hosting infos: http://whois.domaintools.com/

Power Loader(http malware hosted in Luxembourg Steinsel Root Sa)

HTTP Requests: hxxp:// hxxp:// hxxp://wickedreport.com/images/2009/05/naughty-elephant.jpg Sample: hxxp://tbsnpd.best.volyn.ua/dlimage11.php hxxp:// Hosting infos: http://whois.domaintools.com/

btcguild.com(Bitcoin Miner botnet hosted in United States Dallas Ebl Global Networks Inc.)

URL: hxxp://btcguild.com:8332/   hxxp://btcguild.com:8332 -u chakan_1 -p 123 hxxp://btcguild.com:8332 -u graskla_1 -p 123 DATA: POST / HTTP/1.1 Authorization: Basic Y2hha2FuXzE6MTIz Content-Length: 43 User-Agent: Ufasoft bitcoin-miner/0.20 (Windows NT XP 5.1.2600 Service Pack 3) Host: btcguild.com:8332 Cache-Control: no-cache {“method”: “getwork”, “params”: [], “id”:0} Actions Detected: Creates autorun records Injects code into other processes Patches system files Samples:

hardstunt.com (Andromeda http botnet proxied by cloudflare.com)

Resolved hardstunt.com to, Server:  hardstunt.com Gate file:  /blob/image.php Hosting a botnet behind cloudflare seems like a bad idea.Lets see if I can get this blocked. EDIT: CloudFlare received your malware report dated April 28, 2013 regarding: hardstunt.com Please be aware CloudFlare is a network provider offering a reverse proxy, pass-through security service. We