Thanks for the report
On Fri, Jul 4, 2014 at 12:01 PM, Moritz Kroll <moritz.kr...@avira.com> wrote: > Hi, > > I'm a security researcher at Avira and would like to inform you, that > > schw4rzz.googlecode.com > > is used for hosting plugins of the Andromeda botnet. At 2014-07-04 > 16:57:10 (CET) we found a command and control server returning download > commands for them. > > The .mod files are plugin packs with a fake ZIP magic (PK\03\04) > followed by the CRC32 of the data from offset 0x1C to the end of the > file. The data is aPLib packed and RC4 encrypted. > > Checking the owner of this projects reveals more projects used for > Andromeda plugins with .pack extensions > (https://code.google.com/u/109731825940151725349/): > > flukss.googlecode.com > hocazz.googlecode.com > packeds.googlecode.com > projct1ss.googlecode.com > sfxpack.googlecode.com > updateext.googlecode.com > > One project only contains a Windows executable (most likely malware), > but I cannot download it currently. Even checking out the SVN repository > gives me nothing (maybe .exe is blacklisted?): > > videoavi.googlecode.com > > And there are also some projects hosting malicious javascript files: > > kitjs.googlecode.com > thehelios.googlecode.com > > > Please lock down these projects and the user (maybe the gmail account is > hacked, but at least all google code projects are malicious). > > If you need more information, just ask! > > Thanks and best regards > Moritz > > -- > Moritz Kroll > Software Developer & Researcher > Advanced Threat Research And Protection Systems > Email: moritz.kr...@avira.com > > -- > Avira Operations GmbH & Co. KG > Kaplaneiweg 1 | 88069 Tettnang | Deutschland / Germany > Telefon / Telephone: +49 7542-500 0 > Telefax / Facsimile: +49 7542-500 3000 > > Registergericht: Amtsgericht Ulm, HRA 722586 | USt.-IdNr.: DE 815289569 | > Pers. haftende Gesellschafterin: Avira OP GmbH | Firmensitz: Tettnang | > Registergericht: Amtsgericht Ulm, HRB 726712 | Geschäftsführer: Travis > Witteveen > > Commercial Register: Amtsgericht Ulm, HRA 722586 | VAT-ID: DE 815289569 | > Personally Liable Partner: Avira OP GmbH | Headquarters: Tettnang | > Commercial Register: Amtsgericht Ulm, HRB 726712 | Chief Executive Officer > (CEO): Travis Witteveen > > -- > You received this message because you are subscribed to the Google Groups > "Project Hosting on Google Code" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to google-code-hosting+unsubscr...@googlegroups.com. > To post to this group, send email to google-code-hosting@googlegroups.com. > Visit this group at http://groups.google.com/group/google-code-hosting. > For more options, visit https://groups.google.com/d/optout. > -- -Mike -- You received this message because you are subscribed to the Google Groups "Project Hosting on Google Code" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-code-hosting+unsubscr...@googlegroups.com. To post to this group, send email to google-code-hosting@googlegroups.com. Visit this group at http://groups.google.com/group/google-code-hosting. For more options, visit https://groups.google.com/d/optout.
