Andromeda Bot

skyline2050.net (Andromeda http botnet hosted by infiumhost.com)

Resolved skyline2050.net to 188.190.127.160 Server:  skyline2050.net Gate file:  /761994/gate.php This is andromeda 2.07, not the cracked 2.06. You can tell by the admin page located at /adm.php, not on the index page. The owner of this betabot is updating with this, abandoning the betabot. Mining infos:  dum:dum@s5.6d6f6e65797072696e746572.com:3333 Hosting infos: http://whois.domaintools.com/188.190.127.160 Related md5s (search on malwr.com

www.mydowncenter.me (Andromeda http botnet hosted by pw-service.com)

Resolved www.mydowncenter.me to 37.0.122.132 Server:  www.mydowncenter.me Gate file:  /andro/image.php  Plugins  Rootkit:  hxxp://www.mydowncenter.me/andro/r.pack Socks:  hxxp://www.mydowncenter.me/andro/s.pack Formgrabber:  hxxp://www.mydowncenter.me/andro/f.pack   Gate file:  /andro/fg.php Hosting infos: http://whois.domaintools.com/37.0.122.132 Related md5s (search on malwr.com to download the samples): Andromeda: a26ffa2c7bd0e7899b04768f9e76a938

www.welovegiveaways.net (Andromeda http botnet hosted by enzu.com)

Resolved www.welovegiveaways.net to 199.229.235.250 Server:  www.welovegiveaways.net Gate file:  /justricewithwater/image.php Plugins: Rootkit:  hxxp://www.welovegiveaways.net/justricewithwater/r.pack Bitcoin mining info: Shell.exe” -o stratum+tcp://stratum.bitcoin.cz:3333 -u vovler.split1  -p none -t 0 -I 10macromedia.exe” -o stratum+tcp://stratum.bitcoin.cz:3333 -u vovler.split1  -p none -g no Hosting infos: http://whois.domaintools.com/199.229.235.250

www.istanbulnakliyecileri.com (Andromeda http botnet hosted by ozkula.com.tr)

Resolved www.istanbulnakliyecileri.com to 37.247.108.48 Server:  www.istanbulnakliyecileri.com Gate file:  /firmalar/and/image.php Plugins Rootkit:  hxxp://www.istanbulnakliyecileri.com/firmalar/and/r.pack Socks:  hxxp://www.istanbulnakliyecileri.com/firmalar/and/s.pack Formgrabber:  hxxp://www.istanbulnakliyecileri.com/firmalar/and/f.pack   Gate file:  hxxp://www.istanbulnakliyecileri.com/firmalar/and/fg.php This appears to be hosted on a hacked site. Hosting infos: http://whois.domaintools.com/37.247.108.48 Related md5s (search on malwr.com to download the samples): 8709c21be7d72c8ec8aaaa55ccc64b84

solutionswiki.com (Andromeda http botnet hosted by alibabahost.com)

Resolved solutionswiki.com to 109.163.233.107 Server:  solutionswiki.com Gate file:  /pages/image.php There is also a betabot hosted on the same domain. Mining infos:  dasHosts.exe -a scrypt-jane -o http://37.221.170.226:8344 -O YFicRwX9HpMkVovPPWG3NAJ9Tpom3YeXqC:x Hosting infos: http://whois.domaintools.com/109.163.233.107

www.panel-gc.co.uk (Andromeda http botnet hosted by staminus.net)

Resolved www.panel-gc.co.uk to 69.197.35.109 Server:  www.panel-gc.co.uk Gate file:  /panel/gate.php Plugins:  hxxp://www.panel-gc.co.uk/panel/fg_00eaffaa.mod hxxp://www.panel-gc.co.uk/panel/rk_242fc383.mod hxxp://www.panel-gc.co.uk/panel/s4_1829dbd8.mod This is andromeda 2.7, not the older cracked version. Bitcoin mining info: -o http://us1.eclipsemc.com:8337 -u Jackpont_1 -p gizmooclad971 -k diablo Hosting infos: http://whois.domaintools.com/69.197.35.109

betabros.in (Several http botnets hosted by hostkey.ru)

Resolved betabros.in to 146.0.78.4 Server:  betabros.in Gate file:  /beta/order.php The owner should keep a closer eye on the fake forum he setup for cover. 1071 pages of pharmacy spam and counting. Hosting infos: http://whois.domaintools.com/146.0.78.4 EDIT: Bitcoin and litecoin mining. macromedia.exe -a scrypt -o http://us.litecoinpool.org:9332 -u marvid.disfig -p x shell.exe -o stratum+tcp://stratum.btcguild.com:3333 -u vapor_3 -p x