snk

trik.su (Snk aspermod irc botnet hosted by midphase.com)

Resolved trik.su to 174.127.123.4 Server:  trik.su Port:  5050 Channel:  #trk #trk :.j #upd .u trk2 /120/126/99/107/25/61/37/112/72/120/110/67/113/123/122/115/35/64/118/114/35/123/85/74/78/111/125/83/8/55/46/39/32/63/42/55/63/35/44/11/42/38/32/37/120/110/121/ Channel:  #upd #upd :.u trk2 /120/126/99/107/25/61/37/103/86/99/120/83/100/118/123/98/98/13/108/108/35/123/85/74/15/107/97/69/ Hosting info: http://whois.domaintools.com/174.127.123.4 Related md5s (Download samples from Malwr.com) Aspermod: 1f876d3830527f22f84205069695d3d2

botbox.su (Snk Aspermod irc botnet hosted by scopehosts.com)

Resolved botbox.su to 95.211.187.5 Server:  boxbot.su Port:  5050 Channel:  #spm #spm :.s.a /104/115/120/99/34/45/56/57/52/38/57/20/21/36/21/45/36/56/44/32/50/49/107/97/8/67/102/120/ /104/115/120/99/34/45/56/57/52/38/57/20/21/36/21/45/36/56/44/32/50/49/ 481 408w4wf058939393020384493ds Hosting infos: http://whois.domaintools.com/95.211.187.5 Related md5s (Search on Malwr.com to download samples) Aspermod: a61efce0696000bc4f2ee3791918b02d

spambox.su (snk aspermod irc botnet hosted by Cityline Ltd)

Resolved spambox.su to 95.215.70.66 Server:  spambox.su Port:  5050 Channel:  #b600 Now talking on #b600 Topic for #b600 is: .j #sendingTopic for #b600 set by x (Sat Aug 10 05:38:20 2013) Hosting infos: http://whois.domaintools.com/95.215.70.66 Related md5s (search on malwr.com to download samples): Asper mod b1abf1aaa62115c53184e34190aa114e

srv1.su (Betabot http botnet hosted by softronics.ch)

Resolved srv1.su to 94.242.198.65 Server:  srv1.su Gate file:  /b/order.php Everyone should congratulate snk, who has taken his first baby steps into the 21st century by using a http bot. Unfortunately for him he chose to use the l33t Hackforums bot Betabot with a 1mb stub Autoit crypter, but I guess he can only manage to

srv1.su(snk’s botnet hosted in Luxembourg Steinsel Root Sa)

The bot is downloaded by this autoit sample: hxxp://sglegacy.com/AA/dava.exe wich looks like http autoit downloader login here: hxxp://www.sglegacy.com/AA/index.php/login another sample downloaded from the dava.ese is this: hxxp://la-majeur.com/images/beta.exe( Betabot) here dava.exe decompiled: $at2 = “0” $at5 = 0 $at1 = “0” $at3 = “0” $avm = “0” $asb = “0” $at4 = “0” #NoTrayIcon #Region #AutoIt3Wrapper_UseUpx=n

srv5.su (snk asper mod irc botnet hosted by softronics.ch)

Resolved srv5.su to 94.242.198.64 Server:  srv5.su Port:  5050 Channel:  #ok #ok :.j #spr .j #lock .j #spam #ok :.d p /100/97/111/124/49/59/47/49/63/38/38/23/37/49/49/41/42/46/40/37/47/36/57/127/114/105/119/81/50/105/98/117/ Downloads hxxp://94.242.198.64/4/smart.exe Channel:  #spr #spr :.d x /100/97/111/124/49/59/47/49/63/38/38/23/37/49/49/41/42/46/40/37/47/36/57/127/111/122/100/11/121/116/127/ Downloads hxxp://94.242.198.64/4/spra.exe Channel:  #lock #lock :.d l /100/97/111/124/49/59/47/49/63/38/38/23/37/49/49/41/42/46/40/37/47/36/57/96/112/107/110/11/121/116/127/ Downloads hxxp://94.242.198.64/4/lock.exe (winlocker) Channel:  #spam #spam :.s.a /100/97/111/124/49/59/47/49/63/38/38/23/37/49/49/41/42/46/40/37/47/36/57/111/119/109/102/78/50/105/98/117/ /100/97/111/124/49/59/47/49/63/38/38/23/37/49/49/41/42/46/40/37/47/36/57/57/48/ 49 meeisodf Alternate domain:  srv50.su Hosting infos: http://whois.domaintools.com/94.242.198.64

x01bkr2.biz (snk asper mod irc botnet hosted by buyurl.net, alibabahost.com)

Resolved x01bkr2.biz to 94.242.237.128, 37.221.170.208 Server:  x01bkr2.biz Port:  4723 Channel:  #o.O Topic for #o.O is: .dl hxxp://www.mediafire.com/download.php?dqr1p0wz8tpz9tz | .dl hxxp://www.mediafire.com/download.php?uqqhg3equchc7bd Topic for #o.O set by SpliT at Sat Apr 27 17:57:29 2013 The skype spreader downloads messages from hxxp://waxortraxe.org/icon.jpg Alternate domains: zr0x1b9.biz xkzykxb.biz xeyaz.biz Hosting infos: http://whois.domaintools.com/94.242.237.128 Hosting infos: http://whois.domaintools.com/37.221.170.208 EDIT: snk is now desperately

x1x4x0.su (snk asper mod irc botnet hosted by oneandone.net)

Server:  x1x4x0.su (alternate domain phorpiex.su) Port:  5050 Channel:  #b Topic for #b is: .j #m .d /100/97/111/124/49/59/47/96/100/124/114/74/123/122/46/115/125/109/49/117/108/63/39/53/40/48/51/16/45/62/35/63/69/107/55/34/37/35/17/44/83/85/100/110/108/61/108/114/122/10/73/102/97/114/ Topic for #b set by x at Mon Mar 11 12:15:31 2013 Topic for #m is: .s.a /100/97/111/124/49/59/47/58/58/63/58/18/33/47/46/34/35/51/48/34/53/63/102/121/115/105/43/64/100/105/ /100/97/111/124/49/59/47/58/58/63/58/18/33/47/46/34/35/51/48/34/53/63/ 327 pul4rn0t Topic for #m set by x at Mon Mar 11 12:15:41 2013 Channel: #i Sample:hxxp://217.160.213.35/pula.exe Hosting infos: