To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- lordandrej wrote: > Today I stumbled over some malware that Norman reported the following > about: > > [ Network services ] > * Looks for an Internet connection. > * Connects to "1.75.0.193" on port 6556 (TCP). > * Connects to IRC Server. > * IRC: Uses username mxoz. > * IRC: Uses nickname mxoz. > > but the traffic at almost the same time showed: > > DNS A 0x80.my1x1.com -> 194.109.11.65 > DNS A 0xff.memzero.info -> no response > DNS A 0x80.my-secure.name -> 194.109.11.65 > connect 194.109.11.65 > port 1037 -> 6556 > > USER jkbtlmytls jkbtlmytls jkbtlmytls :xLegion/0x030 > NICK jkbtlmytls > etc.... > > is the malware actively missleading norman? > > cheers > andrej
I have a similar one (0c01728b7ecdd68dbf03e17cfec4db95). Norman lists the IPs x.75.0.193 with x being in the range 1-6. Port numbers are 1023 and 6556. 0x80.online-software.org/<not found> 0xff.memzero.info/<not found> 0x80.martiansong.com/68.178.232.99:6556 USER mnslacoli mnslacoli mnslacoli :xLegion/0x204 (win32) NICK mnslacoli It does not send anything else to this port (at least not within the ten minutes I watched it). Additionally it opens a connection to the same host on port 1023 and sends a single character (0x55) followed by TCP keepalives. nick.. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
