sentryme.com (Betabot http botnet hosted by ecatel.net)

Resolved sentryme.com to 94.102.51.123 Server:  Sentryme.com Gate file:  /order.php Altnerate domain: stayattentive.com Bitcoin mining info: -a sha256 -o stratum+tcp://162.243.6.88:3333 -u Ghettoweed.R -p x -g no -t 4 -a sha256 -o stratum+tcp://162.243.6.88:3333 -u Ghettoweed.R -p x -t 0 -I 10 The username string in the binary is the sky daddy_v1$, which corresponds to this Hackforums account.

adobe-helper.cloudapp.net (Andromeda http botnet hosted by microsoft.com)

Resolved adobe-helper.cloudapp.net to 168.63.166.85 Server:  adobe-helper.cloudapp.net Gate file:  /updates/gate.php It downloads a bitcoin miner and begins mining using this proxy, also hosted on the windows cloud: hxxp://updating-flash6.cloudapp.net Bonus andromeda 2.7 panel here: hxxp://adobe-helper.cloudapp.net/panel.zip Hosting infos: http://whois.domaintools.com/168.63.166.85 Related md5s (Search on Malwr.com to download samples) Andromeda: 2fd21454a5c17fcfffef9f900dec1434

dreiansc.ws (Ice 9 banking malware hosted by vps.ua)

Resolved dreiansc.ws to 31.131.28.121  Server: dreiansc.ws Gate file:  /adm/gate.php Config file:  /config/index.php The owner forgot to remove the panel installation file. hxxp://dreiansc.ws/adm/install/index.php Hosting infos: http://whois.domaintools.com/31.131.28.121 Related md5s (Search on malwr.com to download samples) Ice9: edb77957d11c9add8d8bcc615ba3d392

Betabot botnets linked to hackforums users

So if you have been following my posts on this blog, you may have noticed a large number of posts about the “betabot” malware. Betabot is a http bot which is sold on hackforums.net. Despite a number of complaints about serious stability issues, it has become popular with some of the more dedicated script kiddy

cureid.pw (pop3 bruteforcing botnet hosted by firstvds.ru)

Resolved cureid.pw to 62.109.17.111 Server:  cureid.pw Gate file:  /cmd.php The fort disco brute forcing malware has been upgraded, and is now bruteforcing pop3 accounts. The url list to bruteforce is now a list of domains and MX servers. motorisationplus.com:mx00.1and1.fr instagift.com:aspmx.l.google.com paddypartners.it:cluster2a.eu.messagelabs.com nunofi.sk:mail3.itstudio.cz realasianbabes.com:oxmail.registrar-servers.com kvalitetskatalog.se:kvalitetskatalog.se caissedesdepots.fr:mail1.caissedesdepots.fr siat.ac.cn:mx.cstnet.cn A list is mirrored here, you can see more

milfsdeasing.com (paradise ddos bot hosted by zevshost.net)

Resolved milfsdeasing.com to 192.102.6.130 Server:  milfsdeasing.com Gate file:  /par/bfg.php The bot is currently attacking a few websites related to stock and financial regulation. POST /par/bfg.php HTTP/1.1 Host: milfsdeasing.com User-Agent: PARADISE Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10 status=get HTTP/1.1 200 OK Date: Thu, 12 Sep 2013 00:25:55 GMT Server: Apache/2.2.16 (Debian) X-Powered-By: PHP/5.3.3-7+squeeze14 Vary: Accept-Encoding Content-Length:

cureit.pw (WordPress bruting botnet hosted by firstvds.ru)

Resolved cureit.pw to 62.109.17.111 This is the same malware as this previous post. Correct gate request GET /cmd.php HTTP/1.0 Host: cureit.pw. Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; Synapse) HTTP/1.1 200 OK Date: Wed, 11 Sep 2013 19:17:35 GMT Server: Apache/2.2.24 (FreeBSD) PHP/5.4.15 mod_ssl/2.2.24 OpenSSL/1.0.1e X-Powered-By: PHP/5.4.15 Cache-Control: max-age=1 Expires: Wed, 11 Sep 2013 19:17:36

lpa4u.in (Betabot http botnet hosted by worldstream.nl)

Resolved lpa4u.in to 217.23.4.120 Server:  lpa4u.in Gate file:  /radioserver/order.php Downloaded by this andromeda. The domain was only registered yesterday. Hosting infos: http://whois.domaintools.com/217.23.4.120 Related md5s (search on malwr.com to download samples) Betabot: 4046fd4e5ddfc40548c2316d6cd289f4