Month: August 2013

navega.pw (Betabot http botnet hosted by OVH.net)

Resolved navega.pw to 198.245.51.109 Server:  navega.pw Gate file: /b7891/b986/bnav123/mar/360/vid5852/order.php This is on the same IP as the previously posted Athena irc botnet, and is one of three betabot botnets hosted on the server, with smalltoys and strike-file-hosting being the other two. Hosting infos: http://whois.domaintools.com/198.245.51.109 Related md5s (Search on malwr.com to download the samples) betabot: a422f5aabc160f5a8dbde033ea9e6d0b

hosting-bros.me (Athena irc botnet hosted by OVH.net)

Resolved hosting-bros.me to 198.245.51.109 Server:  hosting-bros.me Port:  2300 Channel:  #athena Hosting infos: http://whois.domaintools.com/198.245.51.109 Related md5s (Search on malwr.com to download samples) Athena: c6c1355e7af32c584a4959878bd2640a

irc.tskiller.com (Athena irc botnet hosted by scopehosts.com)

Resolved irc.tskiller.com to 91.109.17.227 Server:  irc.tskiller.com Port:  6667 There are 1 users and 207 invisible on 1 servers Channels:  #kurdish         5         #ddos            13       asf123  #deus            8         #eser            4         #DyntaiLegion    12        #kebab           6         #stud            6         #Kavin           3       [+sntVCT]  #opers           1         #deneme          12        #hack0si         7         #LoL             2         #USA             1         #TizenX          2         #unwrittenlaw    4         #winyle          5         #nirjhar         54    

74.121.150.39 (WordPress brute forcing botnet hosted by it7.net)

Server:  74.121.150.39 Port:  22503 (note, this is not irc based) This is one of the various botnets attempting to bruteforce wordpress blogs. It works pretty fast, during a short run on the malwr.com sandbox it attempted to login to 981 different blogs, all with domains starting with exp. Since malwr.com only allows the sample uploader

ns1.androha.com (Andromeda http botnet hosted by namecheap.com)

Resolved ns1.androha.com to 162.213.250.141 Server:  ns1.androha.com Gate file:  /cgi/image.php Plugins: Rootkit: hxxp://ns1.androha.com/cgi/r.pack Socks: hxxp://ns1.androha.com/cgi/s.pack Formgrabber: hxxp://ns1.androha.com/cgi/f.pack   Gate file:  /cgi/fg.php First cracked andromeda I’ve seen in a while. Hosting infos: http://whois.domaintools.com/162.213.250.141 Related md5s (Search on malwr.com to download the sample) Andromeda: c5598dd742b5504084779ccfda0b207c

allrounders.cc (Athena http botnet hosted by hostkey.com)

Resolved allrounders.cc to 146.0.73.201 Server:  allrounders.cc Gate file:  /1ds2541svc/gate.php This domain was previously used as a backup domain for a now defunct betabot. I guess the owner is trying all the L33T hackforums bots. Hosting infos: http://whois.domaintools.com/146.0.73.201 Related md5s (Search on malwr.com to see the sample in action. You can’t download it as someone hates

kankarmz.ru (betabot http botnet hosted by Alibabahost.com)

Resolved kankarmz.ru to 37.221.170.35 Server:  kankarmz.ru Gate file:  /Duf67/H8938_827.php Alternate domains (both are currently unregistered): u023sjasj.netiodijsakj.net This is one of only three or so betabots that I have seen rename the gate file from order.php to something less obvious. I guess that might be a bit too advanced for the average HF skid. Hosting infos:

xvident.pw (andromeda http botnet hosted by maxhosting.ru)

Resolved xvident.pw to 192.162.100.211 Server:  xvident.pw Gate file:  gate.php There is a another domain pointed to the same IP which is also hosting a andromeda panel. Server:  plesto.pw Gate file:  gate.php Hosting infos: http://whois.domaintools.com/192.162.100.211 Related md5s (search on malwr.com to download samples) Andromeda 57e8423ba1a1d8816ba5d078fd9f64df

yt4cpa.us (Andromeda http botnet hosted by worldstream.nl)

Resoloved yt4cpa.us to 217.23.11.122 Server:  yt4cpa.us Gate file:  /gate.php Downloaded by this betabot phpinfo here: http://yt4cpa.us/test.php Hosting infos: http://whois.domaintools.com/217.23.11.122 Related md5s (search on malwr.com to download samples) Andromeda b887cdbc60cdbaecd6702405b57dc0a1

spambox.su (snk aspermod irc botnet hosted by Cityline Ltd)

Resolved spambox.su to 95.215.70.66 Server:  spambox.su Port:  5050 Channel:  #b600 Now talking on #b600 Topic for #b600 is: .j #sendingTopic for #b600 set by x (Sat Aug 10 05:38:20 2013) Hosting infos: http://whois.domaintools.com/95.215.70.66 Related md5s (search on malwr.com to download samples): Asper mod b1abf1aaa62115c53184e34190aa114e