To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- ----- 211.115.109.28 8989 JOIN #cbboy ----- 211.115.109.21 8981 JOIN #ctheLword ----- 211.115.109.26 8989 JOIN #c20cassio -----
I've seen similar traffic to yours on the above IPs/ports/JOINs. I don't have DNS query logs available at the moment, but I am nearly certain these IPs are in the daum.net and hanmail.net domains. I don't know for sure if this this is a bot or not, but it looks similar to cyworld.nate.com korean irc/IM servers I mistakenly thought might be bot C&Cs recently. While I was researching that one, if I am not mistaken, I read that Daum Communications is a major Korean web portal with irc and IM users so this traffic might be legit. I'd be very interested to know what you find. -Brian -----Original Message----- From: Jeff Kell [mailto:[EMAIL PROTECTED] Sent: Mon 3/20/2006 9:21 AM To: [email protected]; [EMAIL PROTECTED] Subject: [botnets] Particularly ugly, nonstandard bot -- 'daum' ? To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Just tracked this one on an infected local host and coaxed it into replaying a login. The C&C IP has been around a couple of lists, but I haven't seen references to this particular controller, which is certainly not your typical IRCd. contact me if you want pcaps. I haven't gotten ahold of the client binary and probably won't unless they bring it in. Jeff > CON :*** DAUM CAFE > LOGIN cbandBUZZ sNy]78bPuvm89g__ W > REGUSER 25qP8MBHAfiJ90l3R4sgxIA3g0Qlf9r4FLx5c0 0 * : > :1.21 001 cbandBUZZ_1258967^WsNy]78bPuvm89g__ :Welcome to the Daum Internet Relay Chat Network cbandBUZZ_1258967^WsNy]78bPuvm89g__ > :cbandBUZZ_1258967^WsNy]78bPuvm89g__ MODE cbandBUZZ_1258967^WsNy]78bPuvm89g__ :+i > JOIN #cbandBUZZ > :cbandBUZZ_1258967^WsNy]78bPuvm89g__!~25qP8MBHAfiJ90l3R4sgxIA3g0Qlf9r4FL [EMAIL PROTECTED] JOIN :#cbandBUZZ000240 > :1.21 353 cbandBUZZ_1258967^WsNy]78bPuvm89g__ = #cbandBUZZ000240 :cbandBUZZ_1258967^WsNy]78bPuvm89g__~25qP8MBHAfiJ90l3R4sgxIA3g0Qlf9r4FLx 5c0 cbandBUZZ_1258963^Wv[THx6S7~25BzADBgE-R650HdWm97nYzkM0YUiXLKHFe8U0 cbandBUZZ_1258957^Wa3VzaHV6eg__~25NJ_TnQe1rtw06lIUOi5Vzzo0LnS5hP6Jzkg0 cbandBUZZ_1258946^WsObIxri4u[e2[8fYor4_~25kcH2.gSU4NU0DTnj1exySS509b8Szf w.BR10 cbandBUZZ_1258942^WvtPFu7y6yPGh2Q__~25Xj2DJonLfBE0ODXmRPThEKA0ZRRmJ_1zmh A0 > :1.21 353 cbandBUZZ_1258967^WsNy]78bPuvm89g__ = #cbandBUZZ000240 :cbandBUZZ_1258921^Ws9e59r[jtfkuLrn2we4uLg__~25z4VpGqRI8RU0pbvBRuTRhKA0f V4ssL_W48g0 cbandBUZZ_1258844^WtOvH0LChvK259sHuuLizry4u~254nbBtHoLU8A0-yJcI9-Hax1019 DSVRCLaf90 cbandBUZZ_1258832^WsObIxLOqueS5rMDa~251f_JfxNK-oU0RRkH2hkluyM0Dv9FrlfBkE A0 cbandBUZZ_1258805^WYXp1a2k_~25g5EKYja9hOE0lVYOzr9JKjw0XWXgdrDXiK50 cbandBUZZ_1258756^WQ2hpX0I_~25Np4mzY_fIYA0JDWTsBgS3J90ZUlruQTgtlk0 [...etc...] > :1.21 366 cbandBUZZ_1258967^WsNy]78bPuvm89g__ #cbandBUZZ000240 :End of /NAMES list. > :cbandBUZZ_1258970^WwK]Eob]4tOvA5by6yPGivQ__!~25XrRRhAksMgM0SxBEDVvNCIs0 [EMAIL PROTECTED] JOIN :#cbandBUZZ000240 > :[EMAIL PROTECTED] .104.217.158 JOIN :#cbandBUZZ000240 > :cbandBUZZ_1258946^WsObIxri4u[e2[8fYor4_!~25kcH2.gSU4NU0DTnj1exySS509b8S [EMAIL PROTECTED] QUIT :Remote host closed the connection [...etc...] Jeff _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
