To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Captured this in a channel I'm monitoring:
10:25 <oasjdfoij> freeride4ever $davalka RRIBUUICCSICFA RSRS b0b01bd6ac4f8c087e28f2feb5e37e80 10:25 <*> Quit -> frgmrtfr_ [EMAIL PROTECTED] [Quit: .] 10:25 <*> Quit -> ya0aeaaaa [EMAIL PROTECTED] [Quit: .] 10:25 <*> Quit -> ljnrwvwk5 [EMAIL PROTECTED] [Quit: .] 10:25 <*> Quit -> xbn [EMAIL PROTECTED] [Quit: .] 10:25 <*> Quit -> gvlgzmt [EMAIL PROTECTED] [Read error: EOF from client] 10:25 <*> Quit -> bkrvsffpf [EMAIL PROTECTED] [Quit: .] 10:25 <*> Quit -> aeyeay [EMAIL PROTECTED] [Quit: .] 10:25 <*> Quit -> eue0ea0 [EMAIL PROTECTED] [Read error: EOF from client] 10:25 <*> Quit -> _zwhjrjl1 [EMAIL PROTECTED] [Read error: EOF from client] 10:25 <*> Quit -> Uieeiueoa7 [EMAIL PROTECTED] [Quit: .] 10:25 <*> Quit -> uuui0ooe_ [EMAIL PROTECTED] [Quit: .] 10:25 <*> Quit -> jqktqrh_ [EMAIL PROTECTED] [Quit: .] ... A contact on that network mentioned that he'd seen bot herders update Korgo to these particular bots, though he's not entirely sure what they are. These appear to be a worm, as groups of bots will be killed by the network at random when a host connects too many times (indicating repeated infection). 'davalka' appears to be Russian for 'honest slut' (*snerk*), so this appears to be a Russian worm (which, as it just so happens, Korgo is...). RRIBUUICCSICFA RSRS apparently is an ip address and port, using character rotation/replacement. I suspect the md5 at the end of the command string is used as a sort of checksum, though I've no idea what it's generated from (I've tried several variations of the command string, both with the encoded ip/port and decoded - I can't get a match to the md5). Attempting to have the bots connect to localhost resulted in no action, hence the suspicion about the md5 as checksum. Has anyone on here seen these before? Can you positively identify them as Korgo, or another bot? And how is the md5 used/generated? Thank you. -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
