Resolved sentryme.com to 94.102.51.123 Server: Sentryme.com Gate file: /order.php Altnerate domain: stayattentive.com Bitcoin mining info: -a sha256 -o stratum+tcp://162.243.6.88:3333 -u Ghettoweed.R -p x -g no -t 4 -a sha256 -o stratum+tcp://162.243.6.88:3333 -u Ghettoweed.R -p x -t 0 -I 10 The username string in the binary is the sky daddy_v1$, which corresponds to this Hackforums account.Read more...
adobe-helper.cloudapp.net (Andromeda http botnet hosted by microsoft.com)
Resolved adobe-helper.cloudapp.net to 168.63.166.85 Server: adobe-helper.cloudapp.net Gate file: /updates/gate.php It downloads a bitcoin miner and begins mining using this proxy, also hosted on the windows cloud: hxxp://updating-flash6.cloudapp.net Bonus andromeda 2.7 panel here: hxxp://adobe-helper.cloudapp.net/panel.zip Hosting infos: http://whois.domaintools.com/168.63.166.85 Related md5s (Search on Malwr.com to download samples) Andromeda: 2fd21454a5c17fcfffef9f900dec1434
dreiansc.ws (Ice 9 banking malware hosted by vps.ua)
Resolved dreiansc.ws to 31.131.28.121 Server: dreiansc.ws Gate file: /adm/gate.php Config file: /config/index.php The owner forgot to remove the panel installation file. hxxp://dreiansc.ws/adm/install/index.php Hosting infos: http://whois.domaintools.com/31.131.28.121 Related md5s (Search on malwr.com to download samples) Ice9: edb77957d11c9add8d8bcc615ba3d392
Betabot botnets linked to hackforums users
So if you have been following my posts on this blog, you may have noticed a large number of posts about the “betabot” malware. Betabot is a http bot which is sold on hackforums.net. Despite a number of complaints about serious stability issues, it has become popular with some of the more dedicated script kiddyRead more...
cureid.pw (pop3 bruteforcing botnet hosted by firstvds.ru)
Resolved cureid.pw to 62.109.17.111 Server: cureid.pw Gate file: /cmd.php The fort disco brute forcing malware has been upgraded, and is now bruteforcing pop3 accounts. The url list to bruteforce is now a list of domains and MX servers. motorisationplus.com:mx00.1and1.fr instagift.com:aspmx.l.google.com paddypartners.it:cluster2a.eu.messagelabs.com nunofi.sk:mail3.itstudio.cz realasianbabes.com:oxmail.registrar-servers.com kvalitetskatalog.se:kvalitetskatalog.se caissedesdepots.fr:mail1.caissedesdepots.fr siat.ac.cn:mx.cstnet.cn A list is mirrored here, you can see moreRead more...
milfsdeasing.com (paradise ddos bot hosted by zevshost.net)
Resolved milfsdeasing.com to 192.102.6.130 Server: milfsdeasing.com Gate file: /par/bfg.php The bot is currently attacking a few websites related to stock and financial regulation. POST /par/bfg.php HTTP/1.1 Host: milfsdeasing.com User-Agent: PARADISE Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10 status=get HTTP/1.1 200 OK Date: Thu, 12 Sep 2013 00:25:55 GMT Server: Apache/2.2.16 (Debian) X-Powered-By: PHP/5.3.3-7+squeeze14 Vary: Accept-Encoding Content-Length:Read more...
cureit.pw (WordPress bruting botnet hosted by firstvds.ru)
Resolved cureit.pw to 62.109.17.111 This is the same malware as this previous post. Correct gate request GET /cmd.php HTTP/1.0 Host: cureit.pw. Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; Synapse) HTTP/1.1 200 OK Date: Wed, 11 Sep 2013 19:17:35 GMT Server: Apache/2.2.24 (FreeBSD) PHP/5.4.15 mod_ssl/2.2.24 OpenSSL/1.0.1e X-Powered-By: PHP/5.4.15 Cache-Control: max-age=1 Expires: Wed, 11 Sep 2013 19:17:36Read more...
jottedmaintains.net (Citadel banking malware hosted by linkup.ua)
Resolved jottedmaintains.net to 176.119.2.93 Server: jottedmaintains.net Gate file: /xerox/file.php Config file: /xerox/gate.php Hosting infos: http://whois.domaintools.com/176.119.2.93 Related md5s (Search on malwr.com to download samples) Citadel: 19d04a8e094f5fe2b171cf5eed677c30
lpa4u.in (Betabot http botnet hosted by worldstream.nl)
Resolved lpa4u.in to 217.23.4.120 Server: lpa4u.in Gate file: /radioserver/order.php Downloaded by this andromeda. The domain was only registered yesterday. Hosting infos: http://whois.domaintools.com/217.23.4.120 Related md5s (search on malwr.com to download samples) Betabot: 4046fd4e5ddfc40548c2316d6cd289f4
dortnath.com (Andromeda http botnet hosted by sunhoster.ru)
Resolved dortnath.com to 185.6.80.48 Server: dortnath.com Gate file: /gate.php Hosting infos: http://whois.domaintools.com/185.6.80.48 Related md5s (search on malwr.com to download samples) Andromeda: 8d7d4ea8a5ef18341d5534056d60e061