Re: [botnets] Weird bot

Mon, 22 May 2006 02:27:48 -0700 

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Hi Gadi,

> Just a guess: an IRC based C&C which is either on a bad 
> connection or very over-loaded with bots.
I don't think it is a very bad connection, as symantec.loves.the.cock.pheer.biz 
seems to be an alias for at least seven Ips. Plus, the response time itself is 
not bad on the commands I figured out.
I'd think it is an IRC-Based C&C without implementing all or some modified 
subset of IRC commands.

Cheers,

Joerg

--
Joerg Weber M. A.
Teamleiter Netzwerk-Sicherheit/Netzwerk-Applikationen

infoServe GmbH
Nell-Breuning-Allee 6
D-66115 Saarbruecken

T: (0681) 8 80 08 - 59
F: (0681) 8 80 08 - 33
www.infos.de
mailto: [EMAIL PROTECTED]  

> -----Original Message-----
> From: Gadi Evron [mailto:[EMAIL PROTECTED] 
> Sent: Sunday, May 21, 2006 12:20 PM
> To: Jörg Weber
> Cc: [email protected]
> Subject: Re: [botnets] Weird bot
> 
> On Sat, 20 May 2006, Jörg Weber wrote:
> > Hi folks,
> > 
> > I found this funny thing during the weekend:
> > It connects to symantec.loves.the.cock.pheer.biz 18067 and 
> seems to initiate something akin to an IRC session:
> > 
> > USeR l l l l
> > 
> > NiCK l5-00050c7b
> > 
> > :a4 433 * l5-00050c7b : 
> > NiCK l5-00051247
> > 
> > :a4 001 l5-00051247 : 
> > USeRHOST l5-00051247
> > 
> > :a4 302 l5-00051247 :[EMAIL PROTECTED]     
> > JOiN #l5t3 dlrowymx0ri
> > 
> > :a4 366 l5-00051247 #l5t3 : 
> > 
> > Trying to connect to that box by telnet/netcat/irc fails at 
> times and works sometimes, but I couldn't get the server to 
> spill out any useful information.
> > 
> > Does someone have a clue what this beast is?
> 
> Just a guess: an IRC based C&C which is either on a bad 
> connection or very over-loaded with bots.
> 
>       Gadi.
> 
> > 
> > Cheers,
> > 
> > J.
> > _______________________________________________
> > To report a botnet PRIVATELY please email: 
> [EMAIL PROTECTED] All list 
> > and server information are public and available to law 
> enforcement upon request.
> > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
> > 
> 
> 
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Reply via email to