Thanks Dean for sharing this! >There are about 16 or so exploits up on the site at >the moment. Windows media player, quicktime, IE, etc.... I've not >looked at all the latest pages yet so I'm not sure which are new or >not. I've browsed thru the pages and there was nothing new there. Same old exploits for MDAC, VML, Winzip, Yahoo, Ani, WebViewFolder plus the ones you just mentioned. -- Ivan
________________________________ From: [EMAIL PROTECTED] on behalf of Dean De Beer Sent: Fri 8/29/2008 10:55 AM To: botnets@whitestar.linuxbox.org Subject: [botnets] Malware hosting site This site appears to be run by the authors to host their malware. It's been around for a long time now. I track it on and off to see if they add any new exploits. Since it's inception they have refined the code and exploits. I've been looking at it for about 8 months on and off but I think it's been around a lot longer. Google searches reveals very little info. There are about 16 or so exploits up on the site at the moment. Windows media player, quicktime, IE, etc.... I've not looked at all the latest pages yet so I'm not sure which are new or not. Discovery after 4 months for this exe is good but there are still some AV that don't detect it. hxxp://www.ahack.info hxxp://www.ahack.info/tds/ hxxp://www.ahack.info/forum/index.php hxxp://www.ahack.info/ice/exploits/ hxxp://www.ahack.info/ice/index.php/exploits/ http://www.ahack.info/ice/exe.php < exe I thought it interesting that there was so little on this domain yet it has been up for such a period of time. It is blacklisted by some RBLs though but that may be due other sites hosted on the IP. http://www.robtex.com/rbl/203.202.239.59.html /dean On Fri, Aug 29, 2008 at 11:35 AM, Brack o'Malley <[EMAIL PROTECTED]> wrote: > Found this IRC based C&C (yesterday) if anybody wants to go after it. The > channel was > still live as of yesterday morning. it gets delivered as a self extracting > rar file. > > [mirc] > user=Kj6cQa9hFw3tR > nick=Qd0pAb4xTi3a > anick=Gg8lNv5rCk7lW > email=Politia > host=serveru de ircdSERVER:serveru de ircd:6667GROUP:servere > > > > Here's the usual server.ini: > [servers] > n1=serveru de ircdSERVER:red.box23.de:6667GROUP:servere > n2=serveru de ircdSERVER:red.box23.de:9999GROUP:servere > n4=bucharest.ro.eu.undernet.orgSERVER:bucharest.ro.eu.undernet.org:6667GROUP:serveree > n5=Helsinki.FI.EU.Undernet.orgSERVER:Helsinki.FI.EU.Undernet.orgg:6667GROUP:serveree > n6=Ede.NL.EU.UnderNet.OrgSERVER:Ede.NL.EU.UnderNet.Org:6667GROUP:serveree > n7=graz.at.Eu.UnderNet.orgSERVER:217.168.95.245:6667GROUP:serveree > n8=Helsinki.FI.EU.Undernet.orgSERVER:Helsinki.FI.EU.Undernet.org:6667GROUP:serveree > n9=London.UK.Eu.UnderNet.orgSERVER:38.114.116.5:6667GROUP:serveree > n10=London2.UK.EU.Undernet.OrgSERVER:London2.UK.EU.Undernet.Org:6667GROUP:serveree > n11=Oslo1.NO.EU.undernet.orgSERVER:Oslo1.NO.EU.undernet.org:6667GROUP:serveree > n12=Oslo2.NO.EU.undernet.orgSERVER:Oslo2.NO.EU.undernet.org:6667GROUP:serveree > n13=mesa2.az.us.undernet.org:mesa2.az.us.undernet.org:6667GROUP:serveree > n14=mesa.az.us.undernet.orgSERVER:mesa.az.us.undernet.org:6667GROUP:serveree > n15=US.Undernet.orgSERVER:66.186.59.50:6667GROUP:serveree > n16=Diemen.NL.EU.Undernet.OrgSERVER:Diemen.NL.EU.Undernet.Org:6667GROUP:serveree > n17=eu.Undernet.OrgSERVER:208.83.20.130:6667GROUP:serveree > n122=Lelystad.NL.EU.UnderNet.OrgSERVER:Lelystad.NL.EU.UnderNet.Org:6667GROUP:serveree > n121=SantaAna.CA.US.Undernet.orgSERVER:72.51.18.254:6667GROUP:serveree > n212=Zagreb.Hr.EU.UnderNet.orgSERVER:193.109.122.67:6667GROUP:serveree > n323=Tampa.FL.US.Undernet.orgSERVER:Tampa.FL.US.Undernet.org:6667GROUP:serveree > n419=EU, AT, > DiemenSERVER:Diemen.NL.EU.Undernet.Org:6660-6670,7000GROUP:serveree > n420=EU, AT, > ElseneSERVER:Elsene.Be.Eu.undernet.org:6660-6670,7000GROUP:serveree > n421=EU, AT, GrazSERVER:195.68.221.221:6660-6670,7000GROUP:serveree > n422=EU, AT, Graz2SERVER:64.18.128.86:6660-6670,7000GROUP:serveree > n423=EU, AT, GrazSERVER:195.197.175.21:6660-6670,7000GROUP:serveree > n424=EU, BE, ElseneSERVER:195.144.12.5:6667-6669,7000GROUP:serveree > n425=EU, HR, ZagrebSERVER:161.53.178.240:6666-6669,9999GROUP:serveree > n426=EU, NL, AmsterdamSERVER:195.47.220.2:6667GROUP:serveree > n427=EU, NL, EdeSERVER:193.109.122.67:6666-6669GROUP:serveree > n428=EU, NO, OsloSERVER:69.16.172.40:6666-6669GROUP:serveree > n429=US, AZ, MesaSERVER:194.109.20.90:6660,6665-6667,7000GROUP:serveree > n430=Random EU serverSERVER:eu.undernet.org:6667GROUP:serveree > n431=Random US serverSERVER:mesa2.az.us.undernet.org:6667GROUP:serveree > _______________________________________________ > botnets@, the public's dumping ground for maliciousness > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > _______________________________________________ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. _______________________________________________ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets