Month: April 2013 (Andromeda http botnet hosted by

Resolved to Server: Gate file:  /Panel/image.php Plugins Rootkit:  hxxp:// Socks:  hxxp:// Formgrabber:  hxxp://   Gate file:  /Panel/fg.php Hosting infos: hosted in Germany Karlsruhe 1&1 Internet Ag)

Resolved : [] To []Resolved : [] To [] Resolved : [] To []Resolved : [] To []Resolved : [] To [] Server: Password:Username: cemomcbNickname: n{DEU-XPx86a}rxibehmdChannel: #sp (Password: yap)Channeltopic: :!wBHv0JQ4frCCAfQ1ausiPUf+8V+7lwXPGIyAUdmor0CO5CSlmlrNT0sLhs1byIa5Qf+YnMhtBmCBtEOb6hI= Server: Password:Username: pqellooNickname: {DEU-XPx86a}pqelloovChannel: #sp (Password: yap)Channeltopic: :!wBHv0JQ4frCCAfQ1ausiPUf+8V+7lwXPGIyAUdmor0CO5CSlmlrNT0sLhs1byIa5Qf+YnMhtBmCBtEOb6hI= Samples: hxxp:// hxxp:// Thanx to aLiSs for samples and for finding this net hosting infos: (Betabot http botnet hosted by

Resolved to Server: Port:  4137 Gate file:  /system/order.php I don’t know why betabot owners keep putting their http servers on ports other than 80. Seems pretty dumb. I guess you can only expect so much from a HF bot and it’s owners. Hosting infos:

Power Loader(http malware hosted in Luxembourg Steinsel Root Sa)

HTTP Requests: hxxp:// hxxp:// hxxp:// Sample: hxxp:// hxxp:// Hosting infos: Miner botnet hosted in United States Dallas Ebl Global Networks Inc.)

URL: hxxp://   hxxp:// -u chakan_1 -p 123 hxxp:// -u graskla_1 -p 123 DATA: POST / HTTP/1.1 Authorization: Basic Y2hha2FuXzE6MTIz Content-Length: 43 User-Agent: Ufasoft bitcoin-miner/0.20 (Windows NT XP 5.1.2600 Service Pack 3) Host: Cache-Control: no-cache {“method”: “getwork”, “params”: [], “id”:0} Actions Detected: Creates autorun records Injects code into other processes Patches system files Samples: (Andromeda http botnet proxied by

Resolved to, Server: Gate file:  /blob/image.php Hosting a botnet behind cloudflare seems like a bad idea.Lets see if I can get this blocked. EDIT: CloudFlare received your malware report dated April 28, 2013 regarding: Please be aware CloudFlare is a network provider offering a reverse proxy, pass-through security service. We