Month: May 2013

toxhoster.net (Pony loader hosted by ecatel.net)

Resolved toxhoster.net to 80.82.79.35 Server:  toxhoster.net Gate file:  /forum/gate.php Some idiot set it to download itself from the server, so it will run in an endless loop of stealing passwords, sending logs, and then downloading and running itself. Hosting infos: http://whois.domaintools.com/80.82.79.35 Related md5s (search on malwr.com to download the samples): b22258989a5e93d4cb1c3960441c1c06

trakd.ws (Betabot http botnet hosted by intermedia.md)

Resolved trakd.ws to 89.45.14.72 Server:  trakd.ws Gate file:  /bb/order.php Alternate domains: trakd.biz trakd.ru Hosting infos: http://whois.domaintools.com/89.45.14.72 Related md5s (search on malwr.com to download the samples): Betabot: a0a66dfbdf1ce76782ba20a07a052976

37.221.160.132 (Kaiten irc botnet hosted by voxility.net)

Server:  37.221.160.132 Port:  443 Channel:  #yodawg Channel password:  lol.WH #yodawg          58      [+smnu] yo dawg i herd u like backdoors so we put a backdoor in ur backdoor so u can get owned while u own  Check his server usage here: hxxp://fkn.ddos.cat/p.php Another one from x00 http://pastebin.com/fgjJGFxt Hosting infos:  http://whois.domaintools.com/37.221.160.132

irc.byroe.net (Lightaidra Router botnet hosted by fdcservers.net)

Resolved irc.byroe.net to 204.45.97.42, 103.13.240.2, 109.123.112.25, 91.121.73.41 Server:  irc.byroe.net Port:  6667 Channel:  #priv8 #priv8           728     [+pmntr] CAUTION P.R.I.V.A.T.E CAUTION AuthHost:  @csops.byroe.net Oper: [SuPrem0] (~BaGol0@csops.byroe.net): BaGol0[SuPrem0] is a registered nick[SuPrem0] ~#priv8 [SuPrem0] is away (Not Here !!!)[SuPrem0] is a Staff Byroe[SuPrem0] idle 08:04:23, signon: Mon Apr 15 07:04:56[SuPrem0] End of WHOIS list. Payload: hxxp://50.116.7.213/mymail/skins/larry/images/googiespell/.a/getbinaries.sh Hosting infos:

x.e1b2.org (ngrBot irc botnet hosted by namecheap.com)

Resolved x.e1b2.org to 192.64.114.16, 192.64.114.184 Server:  x.e1b2.org Port:  80 Server password:  666666 Channel:  ##Rox-x01## Topic for ##Rox-x01## is: !m on !s -n !mod usbi on !NAZEL hxxp://www8.0zz0.com/2013/05/25/23/865519528.gif !NAZEL hxxp://www12.0zz0.com/2013/05/24/15/675195622.gif !NAZEL hxxp://www12.0zz0.com/2013/05/21/06/487587018.gif Topic for ##Rox-x01## set by xXx at Mon May 27 14:47:02 2013 The server requires SSL to connect Alternate domains: x.e2b3.org x.c1d2.org x.x1ua.org x.x1x2.su

www.istanbulnakliyecileri.com (Andromeda http botnet hosted by ozkula.com.tr)

Resolved www.istanbulnakliyecileri.com to 37.247.108.48 Server:  www.istanbulnakliyecileri.com Gate file:  /firmalar/and/image.php Plugins Rootkit:  hxxp://www.istanbulnakliyecileri.com/firmalar/and/r.pack Socks:  hxxp://www.istanbulnakliyecileri.com/firmalar/and/s.pack Formgrabber:  hxxp://www.istanbulnakliyecileri.com/firmalar/and/f.pack   Gate file:  hxxp://www.istanbulnakliyecileri.com/firmalar/and/fg.php This appears to be hosted on a hacked site. Hosting infos: http://whois.domaintools.com/37.247.108.48 Related md5s (search on malwr.com to download the samples): 8709c21be7d72c8ec8aaaa55ccc64b84

runawaswarm.ru (Ice 9 banking malware hosted by hc.ru)

Resolved runawaswarm.ru to 79.174.65.19 Server:  runawaswarm.ru Config file:  /xml/config.php Gate file:  /xml/redir.php Hosting infos: http://whois.domaintools.com/79.174.65.19 Related md5s (search on malwr.com to download the samples): a9ca2d05060008f988ed72db5eebe67f