redwine.hopewill-imm.com (Betabot http botnet hosted by contabo.com)

Resolved redwine.hopewill-imm.com to 80.241.218.79 Server:  redwine.hopewill-imm.com Gate file:  /papernews/paperboard.php Alternate domains: artgallery.keramikart.ro jetplane.yangon-airways.com flight.yangon-airways.com abroad.laos-airlines.net plates.ceramic1.com Hosting infos: http://whois.domaintools.com/80.241.218.79 Related md5s (Download sample from Malwr.com) Betabot: 3d250757e1b306b899652ef3c5ef93a7

mklist.myjino.ru (Madness DDOS bot hosted by avguro.com)

Resolved mklist.myjino.ru to 81.177.141.202 Server:  mklist.myjino.ru Gate file:  /mad/index.php Info about this malware can be found in this blogpost by Kafeine. Hosting infos: http://whois.domaintools.com/81.177.141.202 Related md5s (Download sample from Malwr.com) Madness: e0b9c947735ee8da2ea1eb7de664b13c

spamtheinter.net (Pony loader hosted by ecatel.net)

Resolved spamtheinter.net to 94.102.51.123 Server: spamtheinter.net Gate file:  /pony/gate.php Hosting infos: http://whois.domaintools.com/94.102.51.123 Related md5 (Download sample from Malwr.com) Pony: ab5c96e927c863a773271347a5713486

renterlocal.su (betabot http botnet hosted by fastflux botnet)

Server:  renterlocal.su Gate file:  /be/order.php Alternate domains:  municipales.ru wmkdi.su dfntlk.su captioncodes.ru juliussdietz.ru Hosting infos: ; <<>> DiG 9.6.1-P1 <<>> renterlocal.su ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8938 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 4, ADDITIONAL: 12 ;; QUESTION SECTION: ;renterlocal.su. IN A ;;

24E1tRfQaf31.in (Betabot http botnet hosted by ecatel.net)

Resolved 24e1trfqaf31.in to 94.102.49.76 Server:  24e1trfqaf31.in Gate file:  /Kuod_9381a/order.php Alternate domains: 24ttgaezrtawae.in 13893ygh1uvbad.inibfuo2t1g1qdewr3.in (Currently suspended) The WHOIS info for this domain is pretty interesting. Looks like someone copied the WHOIS info of a major hackforums scammer. Hosting infos: http://whois.domaintools.com/94.102.49.76 Related md5s (Download samples from Malwr.com) Betabot: b47a148b57ce6a7e6e57b039315c77d4

sloodam.in (Betabot http botnet proxied by cloudflare.com)

Server:  sloodam.in Gate file:  /lolserver/james/order.php Yet another scriptkiddie seems to think that cloudflare is the best place to host his botnet. Lets see how fast they shut this down. Related md5s (Search on Malwr.com to download samples) Betabot: faf473886ef8775d6514ab898a550b3e

203.81.204.105(14k Linux bots hosted in Pakistan Karachi South Cmbroadband Noc)

Big heckers big net. Thnx to loadx and Yewnix for the ownage and exposing them. Everything is inside the config file: /* Type of comments */ #Comment type 1 (Shell type) // Comment type 2(C++ style) /* Comment type 3 (C Style) */ #those lines are ignored by the ircd. loadmodule “src/modules/commands.so”; #loadmodule “cloak.dll”; #include