Hi, I'm a security researcher at Avira and would like to inform you, that
schw4rzz.googlecode.com is used for hosting plugins of the Andromeda botnet. At 2014-07-04 16:57:10 (CET) we found a command and control server returning download commands for them. The .mod files are plugin packs with a fake ZIP magic (PK\03\04) followed by the CRC32 of the data from offset 0x1C to the end of the file. The data is aPLib packed and RC4 encrypted. Checking the owner of this projects reveals more projects used for Andromeda plugins with .pack extensions (https://code.google.com/u/109731825940151725349/): flukss.googlecode.com hocazz.googlecode.com packeds.googlecode.com projct1ss.googlecode.com sfxpack.googlecode.com updateext.googlecode.com One project only contains a Windows executable (most likely malware), but I cannot download it currently. Even checking out the SVN repository gives me nothing (maybe .exe is blacklisted?): videoavi.googlecode.com And there are also some projects hosting malicious javascript files: kitjs.googlecode.com thehelios.googlecode.com Please lock down these projects and the user (maybe the gmail account is hacked, but at least all google code projects are malicious). If you need more information, just ask! Thanks and best regards Moritz -- Moritz Kroll Software Developer & Researcher Advanced Threat Research And Protection Systems Email: moritz.kr...@avira.com -- Avira Operations GmbH & Co. KG Kaplaneiweg 1 | 88069 Tettnang | Deutschland / Germany Telefon / Telephone: +49 7542-500 0 Telefax / Facsimile: +49 7542-500 3000 Registergericht: Amtsgericht Ulm, HRA 722586 | USt.-IdNr.: DE 815289569 | Pers. haftende Gesellschafterin: Avira OP GmbH | Firmensitz: Tettnang | Registergericht: Amtsgericht Ulm, HRB 726712 | Geschäftsführer: Travis Witteveen Commercial Register: Amtsgericht Ulm, HRA 722586 | VAT-ID: DE 815289569 | Personally Liable Partner: Avira OP GmbH | Headquarters: Tettnang | Commercial Register: Amtsgericht Ulm, HRB 726712 | Chief Executive Officer (CEO): Travis Witteveen -- You received this message because you are subscribed to the Google Groups "Project Hosting on Google Code" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-code-hosting+unsubscr...@googlegroups.com. To post to this group, send email to google-code-hosting@googlegroups.com. Visit this group at http://groups.google.com/group/google-code-hosting. For more options, visit https://groups.google.com/d/optout.
