my $fakeproc = “sh -c (ps -aux)2>&1”;my $ircserver = “irc.edsel.us.to”;my $ircport = “7221”;my $nickname = “i-escorts”;my $ident = “bogo”;my $channel = “#jurig”;my $admin = “SmitfraudFix”;my $fullname = “naon”; Full source here hosting infos: http://whois.domaintools.com/184.107.213.58
knwns.de (Betabot http botnet hosted by balticservers.com)
Resolved knwns.de to 5.199.166.226 Server: knwns.de Gate file: /bst/order.php Hosting infos: http://whois.domaintools.com/5.199.166.226
toxhoster.net (Pony loader hosted by ecatel.net)
Resolved toxhoster.net to 80.82.79.35 Server: toxhoster.net Gate file: /forum/gate.php Some idiot set it to download itself from the server, so it will run in an endless loop of stealing passwords, sending logs, and then downloading and running itself. Hosting infos: http://whois.domaintools.com/80.82.79.35 Related md5s (search on malwr.com to download the samples): b22258989a5e93d4cb1c3960441c1c06
humlaburd.org (Betabot http botnet hosted by balticservers.com)
Resolved humlaburd.org to 5.199.164.92 Server: humlaburd.org Gate file: /spidey/order.php Hosting infos: http://whois.domaintools.com/5.199.164.92 Related md5s (search on malwr.com to download the samples): Betabot: 80ac8731fa69e1480719982bd527042e
trakd.ws (Betabot http botnet hosted by intermedia.md)
Resolved trakd.ws to 89.45.14.72 Server: trakd.ws Gate file: /bb/order.php Alternate domains: trakd.biz trakd.ru Hosting infos: http://whois.domaintools.com/89.45.14.72 Related md5s (search on malwr.com to download the samples): Betabot: a0a66dfbdf1ce76782ba20a07a052976
37.221.160.132 (Kaiten irc botnet hosted by voxility.net)
Server: 37.221.160.132 Port: 443 Channel: #yodawg Channel password: lol.WH #yodawg 58 [+smnu] yo dawg i herd u like backdoors so we put a backdoor in ur backdoor so u can get owned while u own Check his server usage here: hxxp://fkn.ddos.cat/p.php Another one from x00 http://pastebin.com/fgjJGFxt Hosting infos: http://whois.domaintools.com/37.221.160.132
irc.byroe.net (Lightaidra Router botnet hosted by fdcservers.net)
Resolved irc.byroe.net to 204.45.97.42, 103.13.240.2, 109.123.112.25, 91.121.73.41 Server: irc.byroe.net Port: 6667 Channel: #priv8 #priv8 728 [+pmntr] CAUTION P.R.I.V.A.T.E CAUTION AuthHost: @csops.byroe.net Oper: [SuPrem0] (~BaGol0@csops.byroe.net): BaGol0[SuPrem0] is a registered nick[SuPrem0] ~#priv8 [SuPrem0] is away (Not Here !!!)[SuPrem0] is a Staff Byroe[SuPrem0] idle 08:04:23, signon: Mon Apr 15 07:04:56[SuPrem0] End of WHOIS list. Payload: hxxp://50.116.7.213/mymail/skins/larry/images/googiespell/.a/getbinaries.sh Hosting infos:Read more...
x.e1b2.org (ngrBot irc botnet hosted by namecheap.com)
Resolved x.e1b2.org to 192.64.114.16, 192.64.114.184 Server: x.e1b2.org Port: 80 Server password: 666666 Channel: ##Rox-x01## Topic for ##Rox-x01## is: !m on !s -n !mod usbi on !NAZEL hxxp://www8.0zz0.com/2013/05/25/23/865519528.gif !NAZEL hxxp://www12.0zz0.com/2013/05/24/15/675195622.gif !NAZEL hxxp://www12.0zz0.com/2013/05/21/06/487587018.gif Topic for ##Rox-x01## set by xXx at Mon May 27 14:47:02 2013 The server requires SSL to connect Alternate domains: x.e2b3.org x.c1d2.org x.x1ua.org x.x1x2.suRead more...
www.istanbulnakliyecileri.com (Andromeda http botnet hosted by ozkula.com.tr)
Resolved www.istanbulnakliyecileri.com to 37.247.108.48 Server: www.istanbulnakliyecileri.com Gate file: /firmalar/and/image.php Plugins Rootkit: hxxp://www.istanbulnakliyecileri.com/firmalar/and/r.pack Socks: hxxp://www.istanbulnakliyecileri.com/firmalar/and/s.pack Formgrabber: hxxp://www.istanbulnakliyecileri.com/firmalar/and/f.pack Gate file: hxxp://www.istanbulnakliyecileri.com/firmalar/and/fg.php This appears to be hosted on a hacked site. Hosting infos: http://whois.domaintools.com/37.247.108.48 Related md5s (search on malwr.com to download the samples): 8709c21be7d72c8ec8aaaa55ccc64b84
runawaswarm.ru (Ice 9 banking malware hosted by hc.ru)
Resolved runawaswarm.ru to 79.174.65.19 Server: runawaswarm.ru Config file: /xml/config.php Gate file: /xml/redir.php Hosting infos: http://whois.domaintools.com/79.174.65.19 Related md5s (search on malwr.com to download the samples): a9ca2d05060008f988ed72db5eebe67f