This site appears to be run by the authors to host their malware. It's been around for a long time now. I track it on and off to see if they add any new exploits. Since it's inception they have refined the code and exploits. I've been looking at it for about 8 months on and off but I think it's been around a lot longer. Google searches reveals very little info. There are about 16 or so exploits up on the site at the moment. Windows media player, quicktime, IE, etc.... I've not looked at all the latest pages yet so I'm not sure which are new or not. Discovery after 4 months for this exe is good but there are still some AV that don't detect it.
hxxp://www.ahack.info hxxp://www.ahack.info/tds/ hxxp://www.ahack.info/forum/index.php hxxp://www.ahack.info/ice/exploits/ hxxp://www.ahack.info/ice/index.php/exploits/ http://www.ahack.info/ice/exe.php < exe I thought it interesting that there was so little on this domain yet it has been up for such a period of time. It is blacklisted by some RBLs though but that may be due other sites hosted on the IP. http://www.robtex.com/rbl/203.202.239.59.html /dean On Fri, Aug 29, 2008 at 11:35 AM, Brack o'Malley <[EMAIL PROTECTED]> wrote: > Found this IRC based C&C (yesterday) if anybody wants to go after it. The > channel was > still live as of yesterday morning. it gets delivered as a self extracting > rar file. > > [mirc] > user=Kj6cQa9hFw3tR > nick=Qd0pAb4xTi3a > anick=Gg8lNv5rCk7lW > email=Politia > host=serveru de ircdSERVER:serveru de ircd:6667GROUP:servere > > > > Here's the usual server.ini: > [servers] > n1=serveru de ircdSERVER:red.box23.de:6667GROUP:servere > n2=serveru de ircdSERVER:red.box23.de:9999GROUP:servere > n4=bucharest.ro.eu.undernet.orgSERVER:bucharest.ro.eu.undernet.org:6667GROUP:serveree > n5=Helsinki.FI.EU.Undernet.orgSERVER:Helsinki.FI.EU.Undernet.orgg:6667GROUP:serveree > n6=Ede.NL.EU.UnderNet.OrgSERVER:Ede.NL.EU.UnderNet.Org:6667GROUP:serveree > n7=graz.at.Eu.UnderNet.orgSERVER:217.168.95.245:6667GROUP:serveree > n8=Helsinki.FI.EU.Undernet.orgSERVER:Helsinki.FI.EU.Undernet.org:6667GROUP:serveree > n9=London.UK.Eu.UnderNet.orgSERVER:38.114.116.5:6667GROUP:serveree > n10=London2.UK.EU.Undernet.OrgSERVER:London2.UK.EU.Undernet.Org:6667GROUP:serveree > n11=Oslo1.NO.EU.undernet.orgSERVER:Oslo1.NO.EU.undernet.org:6667GROUP:serveree > n12=Oslo2.NO.EU.undernet.orgSERVER:Oslo2.NO.EU.undernet.org:6667GROUP:serveree > n13=mesa2.az.us.undernet.org:mesa2.az.us.undernet.org:6667GROUP:serveree > n14=mesa.az.us.undernet.orgSERVER:mesa.az.us.undernet.org:6667GROUP:serveree > n15=US.Undernet.orgSERVER:66.186.59.50:6667GROUP:serveree > n16=Diemen.NL.EU.Undernet.OrgSERVER:Diemen.NL.EU.Undernet.Org:6667GROUP:serveree > n17=eu.Undernet.OrgSERVER:208.83.20.130:6667GROUP:serveree > n122=Lelystad.NL.EU.UnderNet.OrgSERVER:Lelystad.NL.EU.UnderNet.Org:6667GROUP:serveree > n121=SantaAna.CA.US.Undernet.orgSERVER:72.51.18.254:6667GROUP:serveree > n212=Zagreb.Hr.EU.UnderNet.orgSERVER:193.109.122.67:6667GROUP:serveree > n323=Tampa.FL.US.Undernet.orgSERVER:Tampa.FL.US.Undernet.org:6667GROUP:serveree > n419=EU, AT, > DiemenSERVER:Diemen.NL.EU.Undernet.Org:6660-6670,7000GROUP:serveree > n420=EU, AT, > ElseneSERVER:Elsene.Be.Eu.undernet.org:6660-6670,7000GROUP:serveree > n421=EU, AT, GrazSERVER:195.68.221.221:6660-6670,7000GROUP:serveree > n422=EU, AT, Graz2SERVER:64.18.128.86:6660-6670,7000GROUP:serveree > n423=EU, AT, GrazSERVER:195.197.175.21:6660-6670,7000GROUP:serveree > n424=EU, BE, ElseneSERVER:195.144.12.5:6667-6669,7000GROUP:serveree > n425=EU, HR, ZagrebSERVER:161.53.178.240:6666-6669,9999GROUP:serveree > n426=EU, NL, AmsterdamSERVER:195.47.220.2:6667GROUP:serveree > n427=EU, NL, EdeSERVER:193.109.122.67:6666-6669GROUP:serveree > n428=EU, NO, OsloSERVER:69.16.172.40:6666-6669GROUP:serveree > n429=US, AZ, MesaSERVER:194.109.20.90:6660,6665-6667,7000GROUP:serveree > n430=Random EU serverSERVER:eu.undernet.org:6667GROUP:serveree > n431=Random US serverSERVER:mesa2.az.us.undernet.org:6667GROUP:serveree > _______________________________________________ > botnets@, the public's dumping ground for maliciousness > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > _______________________________________________ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
