I_Post_Ur_Info

trik.su (Snk aspermod irc botnet hosted by midphase.com)

Resolved trik.su to 174.127.123.4 Server:  trik.su Port:  5050 Channel:  #trk #trk :.j #upd .u trk2 /120/126/99/107/25/61/37/112/72/120/110/67/113/123/122/115/35/64/118/114/35/123/85/74/78/111/125/83/8/55/46/39/32/63/42/55/63/35/44/11/42/38/32/37/120/110/121/ Channel:  #upd #upd :.u trk2 /120/126/99/107/25/61/37/103/86/99/120/83/100/118/123/98/98/13/108/108/35/123/85/74/15/107/97/69/ Hosting info: http://whois.domaintools.com/174.127.123.4 Related md5s (Download samples from Malwr.com) Aspermod: 1f876d3830527f22f84205069695d3d2

vvvhhhccc.com (Betabot http botnet hosted by dacentec.com)

Resolved vvvhhhccc.com to 192.111.153.98 Server:  vvvhhhccc.com Gate file:  /8/8/8/be/order.php Alternate domains: virusprotect.su virus-protector.net latinodancewears.com.vn He has a plasma http botnet on the same domain that he is using to mine dogecoins. Gate file:  /8/8/plasma/login.php Hosting info: http://whois.domaintools.com/192.111.153.98 Related md5s (Download samples from Malwr.com) Betabot: a58ddb7a7a3b823ff0ddd541f136d9f4 Plasma: 401459ef275cf0639a855a4dff234bf5 Mining info: Stratum+tcp://pool.dogechain.info:3333 -u latinodresses.plasmahttp -p x

199.187.121.82 (pBots hosted by databasebydesignllc.com)

Server:  199.187.121.82 Port:  7802 * There are 1 users and 3702 invisible on 1 servers * 127 :unknown connection(s) * 2 :channels formed * I have 3703 clients and 0 servers * Current Local Users: 3703 Max: 3785 * Current Global Users: 3703 Max: 3785 Channel:  #bom# Channel Users Topic #sick# 341 [+smntMu] #bom# 3385

googleisearch.com (ferret DDOS botnet hosted by sigmait.dk)

Resolved googleisearch.com to 195.20.141.115 Server:  googleisearch.com Gate file:  /tmp/search.php The panel is version 2.2, indicating continued development since it’s discovery.    Hosting info: http://whois.domaintools.com/195.20.141.115 Related md5s (Download samples from Malwr.com) Ferret: bcf167ad78a41f695b766531ed3a6fea

iappleblog.net (Betabot http botnet hosted by ubris-hosting.com)

Resolved iappleblog.net to 37.9.55.98 Server:  iappleblog.net Gate file:  /img/beta/order.php Alternate domains: iapplegeek.com androidistore.net This is the first betabot 1.7 I’ve seen in the wild. Thanks to Xylitol for the C&C info. Looks like the network signatures need to be updated Hosting info: http://whois.domaintools.com/37.9.55.98 Related md5s (Download sample from Malwr.com) Betabot: 5f3b16af36bfa193a222222035c7321c

93.174.94.158 (Linux Perl bots hosted by Ecatel.net)

Server:  93.174.94.158 Port:  6667 * There are 1 users and 3854 invisible on 1 servers * 24 :unknown connection(s) * 45 :channels formed * I have 3855 clients and 0 servers * 3855 15196 :Current local users 3855, max 15196 * 3855 5212 :Current global users 3855, max 5212 Channel:  #X (Perl bots) Bot Source

uploadwith.me (Betabot http botnet hosted by datashack.net)

Resolved uploadwith.me to 63.141.233.107 Server:  uploadwith.me Gate file:  /ashg653/order.php Alternate domain: strike-file-hosting.us Hosting info:  http://whois.domaintools.com/63.141.233.107 Notice anything interesting about this IP? CustName: Chris Gravenstein Address: 201 E. 16th st City: North Kansas City StateProv: MO PostalCode: 64116 Country: US RegDate: 2013-10-21 Updated: 2013-10-21 Ref: http://whois.arin.net/rest/customer/C04738525 That’s right, Chris Gravenstein, aka digital has managed to top

illuminati.sx (Plasma http botnet hosted by worldstream.nl)

Resolved illuminati.sx to 109.236.80.74 Server:  illuminati.sx Gate file:  /http/gate.php This is the first time I have seen the HTTP version of plasma and it sucks hard. It seems to be a slightly upgraded version of the old barracuda HTTP bot, with few of the problems fixed. Hosting info: http://whois.domaintools.com/109.236.80.74 Bitcoin mining info: miner.start http://109.236.80.74/miner/CPUMiner.files *-a