h4r3

Betabot botnets linked to hackforums users

So if you have been following my posts on this blog, you may have noticed a large number of posts about the “betabot” malware. Betabot is a http bot which is sold on hackforums.net. Despite a number of complaints about serious stability issues, it has become popular with some of the more dedicated script kiddy

bid.consulting-info.eu (Click fraud botnet hosted by quadranet.com)

Resolved bid.consulting-info.eu to s1.fclick.org (cname) Resolved s1.fclick.org to 96.44.149.187 Server:   bid.consulting-info.eu Gate file:  /feed/xml.php?uid=219   More click fraud courtesy of french hecker h4r3. This time it looks a bit more sophisticated though. I’m assuming this is an affiliate program as while it’s using h4r3’s domain it points to another site. If you search for

honey.punked.us (Andromeda http botnet hosted by kimsufi.com

Resolved honey.punked.us to 94.23.213.78   Server:   honey.punked.us Gate file:  /sex/image.php Plugins Rootkit:  http://doncarlosmayorista.com/.sec/r.pack Socks:  http://doncarlosmayorista.com/.sec/s.pack Formgrabber:  http://doncarlosmayorista.com/.sec/f.pack   Gate file:   honey.punked.us/sex/fg.php This is the new andromeda of the french hecker h4r3. Now he’s using cracked andromeda with free domains. Hosting infos: http://whois.domaintools.com/94.23.213.78

zxz.consulting-info.eu (Multiple http botnets hosted by France Roubaix Ovh Sas)

Resolved zxz.consulting-info.eu to 5.39.71.80 This is the french hecker known as h4r3 who has been posted before Andromeda This is the same andromeda net that was posted before, just with the rest of the domains. Previous/disabled domains vvv.exp1oit.in xxx.be-shopping.net Current domain:  zxz.consulting-info.eu Gate file:  /service/image.php Plugins: Rootkit:  tbontepaard.nl/gllr/r.pack Socks:  tbontepaard.nl/gllr/s.pack kbot Server:   zxz.consulting-info.eu Gate

vvv.exp1oit.in (Andromeda http hosted by France Roubaix Ovh Sas)

Resolved vvv.exp1oit.in to 178.33.241.61 This is the new andromeda of the french guy. It is the full version with all of the plugins. Server: vvv.exp1oit.in Gate file:  /google/image.php Plugins: Formgrabber: beautyoftheworld.ca/xs/f.pack Gate file: /google/fg.php Socks: beautyoftheworld.ca/xs/s.pack Rootkit: beautyoftheworld.ca/xs/r.pack Downloads files from hxxp://jamboproducciones.com/xs/ and hxxp://ez-cs.net/dk/ He also has a new smoke loader up Server: smk.cheatgame.org Gate

cheatmodernwarfare.com (Multiple http bots hosted by Romania Torben Diehr)

Posting some french heckers stuff Andromeda loader Server: cheatmodernwarfare.com Gate file: /xbox/image.php Rootkit plugin:  hxxp://magnatesmobileapps.com/sym/r.pack Socks plugin:  hxxp://magnatesmobileapps.com/sym/s.pack Backup domains: down4life.hopto.org explosiontaracesavatoutdechirer.chickenkiller.com fckd330.mooo.com kbot Server: h4r3.hopto.org redirects to: kb.itprosolutions.org Gate file: /joomla/gate.php Server: purenet.hopto.org Redirects to: 91.234.105.14 Gate file:  /kb/gate.php Server: smk.cheatgame.org Gate file:  /kb/gate.php Smoke loader (Currently down) Server: smk.cheatmodernwarfare.com Gate file: /s2/control.php Hostbooter

bb.qc.to (IRC botnets hosted by France Roubaix Ovh Systems)

Resolved bb.qc.to to 37.59.35.104 Server: bb.qc.to Port: 7356 Password: d0wn * There are 1 users and 896 invisible on 1 servers * 4 :unknown connection(s) * 41 :channels formed * I have 897 clients and 0 servers * Current Local Users: 897  Max: 1356 * Current Global Users: 897  Max: 1356 Channel: #d0wn4l1f3 Pass: down