beta bot

sinsec.net (Betabot http botnet hosted by alibabahost.com)

Resolved sinsec.net to 37.221.170.96 Server:  sinsec.net Gate file:  /turndown/order.php Alternate domains: divinestresser.info radicalpkz.com perp.pw thefox.pw uploadme.pw perp.se Domain info: sinsec.net Domain Name: SINSEC.NET Registry Domain ID: 1814650535_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.enom.com Registrar URL: www.enom.com Updated Date: 2013-07-12 10:27:24Z Creation Date: 2013-07-12 17:27:00Z Registrar Registration Expiration Date: 2014-07-12 17:27:00Z Registrar: ENOM, INC. Registrar IANA ID: 48

api.wifi-update.biz (Betabot http botnet hosted by oneandone.net)

Resolved api.wifi-update.biz to 87.106.241.22 Server:  api.wifi-update.biz Gate file:  /cdn/img.php Alternate domains: api-radio-def.de api.lul.pw api.tba.pw Domain info: wifi-update.biz Domain Name: WIFI-UPDATE.BIZ Domain ID: D58641421-BIZ Sponsoring Registrar: BIZCN.COM, INC. Sponsoring Registrar IANA ID: 471 Registrar URL (registration services): www.bizcn.com Domain Status: clientTransferProhibited Registrant ID: ORGEH90335606834 Registrant Name: Erkki Hagstrom Registrant Organization: ErkkiHagstrom Registrant Address1: Gesterbyntie 51 Registrant

frizzcams.com (Betabot http botnet hosted by Balticservers.com)

Resolved frizzcams.com to 5.199.165.239 Server:  frizzcams.com Gate file:  /beta/order.php Alternate domains: fapncam.com proxypool.info update-silo.com This has the same C&C domains as this betabot, just in a different order. It’s involved with spreading a youtube views boosting bot. Domain info: frizzcams.com Domain Name: FRIZZCAMS.COM Registrar: MONIKER ONLINE SERVICES LLC Registrant [4327848]: Moniker Privacy Services FRIZZCAMS.COM@monikerprivacy.net Moniker

b.mypaintdressk13.com (Betabot http botnet hosted by sprintdatacenter.pl)

Resolved b.mypaintdressk13.com to 188.68.255.207 Server:  b.mypaintdressk13.com Gate file:  /direct/mail/order.php Alternate domains: b.dietmydartk5.com b.pixartzonek4.comb.stop2teasemek3.comb.thegamejuststarted10k12.comb.thegamejuststarted11k7.comb.thegamejuststarted12k11.comb.thegamejuststarted13k8.comb.thegamejuststarted14k9.comb.thegamejuststarted15k10.comb.uandmearevideos1k1.comb.uandmearevideos2k2.com Hosting info: http://whois.domaintools.com/188.68.255.207 Related md5s (Download samples from Malwr.com) Betabot: 9085ab7965bc67c6a8a6f2c83a22fb49

seosaw.pw (betabot http botnet hosted by plusserver.de)

Resolved seosaw.pw to 188.138.125.103 Server:  seosaw.pw Gate file:  /wq782jwoqkQy19qkdh27hqudqj/order.php Alternate domains: microsoftgo.pw updateom.info seosaw.info googlerw.info Downloads what looks like Sefnit from hxxp://now.googlefast.pw/remote/index.php?u=48&istan Hosting info: http://whois.domaintools.com/188.138.125.103 Related md5s (Download sample from Malwr.com Betabot: daee8c5056fbbf1964588e70cb371fae Sefnit: b99ed8704716ab6ff273e3dc66fe3cfb

vvvhhhccc.com (Betabot http botnet hosted by dacentec.com)

Resolved vvvhhhccc.com to 192.111.153.98 Server:  vvvhhhccc.com Gate file:  /8/8/8/be/order.php Alternate domains: virusprotect.su virus-protector.net latinodancewears.com.vn He has a plasma http botnet on the same domain that he is using to mine dogecoins. Gate file:  /8/8/plasma/login.php Hosting info: http://whois.domaintools.com/192.111.153.98 Related md5s (Download samples from Malwr.com) Betabot: a58ddb7a7a3b823ff0ddd541f136d9f4 Plasma: 401459ef275cf0639a855a4dff234bf5 Mining info: Stratum+tcp://pool.dogechain.info:3333 -u latinodresses.plasmahttp -p x