sisisu.su (Citadel banking malware hosted by he.net)

Resolved sisisu.su to 64.62.210.103 Server:  sisisu.su Config file:  /wheelbarrow/file.php Gate file:  /wheelbarrow/prism.php Currently being downloaded by this betabot. This is his second attempt at a citadel net, the first one can be found here. Hosting infos: http://whois.domaintools.com/64.62.210.103 Related md5s (search on malwr.com to download the samples): Citadel: 5707e28e79f6b6d469874f8b87ecb3b9  Edit: The moron forgot to remove the

kalurjaq.ru(Kelihos hosted in Kazakhstan Almaty Jsc Almatv)

Kelihos (also know as Hlux) is a Spambot with the capability to steal credentials from the victims computer and drop additional malware. While the old version used the second level domain cz.cc for it’s distribution and to control the botnet, the new version takes advantage of TLD .eu in combination with Fast Flux techniques. HTTP

z.joerv02.com(irc botnet hosted in China Nanjing Chinanet Jiangsu Province Network)

Name                     Query Type               Query Result        Successful        Protocol api.wipmania.com      DNS_TYPE_A      69.197.137.58      YES                   udp z.baerr02.com          DNS_TYPE_A                                     NO                    udp z.joerv02.com          DNS_TYPE_A       58.221.60.87         YES                    udp Server: z.joerv02.com:6513 PASS smart Channels: #dpi,#suk.#sar PASS smart

insane.pirate-the.net (Athena http botnet hosted by free-h.org)

Resolved insane.pirate-the.net to 91.234.104.150 Server:  insane.pirate-the.net Gate file:  /here/gate.php Thanks to whoever uploaded this on malwr Hosting infos: http://whois.domaintools.com/91.234.104.150 Related md5s (search on malwr.com to download the samples): Athena http: e0046f2d10c7c790cf07d258cdafe299

skyline2050.net (Andromeda http botnet hosted by infiumhost.com)

Resolved skyline2050.net to 188.190.127.160 Server:  skyline2050.net Gate file:  /761994/gate.php This is andromeda 2.07, not the cracked 2.06. You can tell by the admin page located at /adm.php, not on the index page. The owner of this betabot is updating with this, abandoning the betabot. Mining infos:  dum:dum@s5.6d6f6e65797072696e746572.com:3333 Hosting infos: http://whois.domaintools.com/188.190.127.160 Related md5s (search on malwr.com

64.85.233.8 (Citadel banking malware hosted by home ip?)

Server:   64.85.233.8 Config file:  /hide/1355/file.php Gate file:  /hide/1355/enter.php According to whois, this is a home cable internet ip (United States Concord Astound Broadband). Also on the server, smoke loader and pony Smoke Server:  64.85.233.8 Gate file:  /smokeldr/index.php Pony Server:  64.85.233.8 Gate file:  /js/gate.php The moron running this has Pony downloading itself, creating a continuous