Live Botnet Feed
We are currently preparing a "live" botnet feed, i.e., when we detect a botnet during the malware analysis with CWSandbox, we send out an e-mail which contains some information about it. A (sanitized) sample report looks like:
This kind of information should help network administrators and perhaps also other security-interested people to protect their network / environment. If you are interested in such a feed, please contact me (thorsten [dot] holz [at] gmail [dot] com).
BTW: the above mentioned botnet is still live after a couple of weeks. Some details about it:
file 6908ef042be18d741f943b60eb25bf00.exe, filesize 102400
DNS Lookup
IP Adress: XXX.125.184.YYY
Host Name: BAR.FOO.us
C&C Server: XXX.125.184.YYY:6667 (successful)
Server Password:
Username: XP-438902
Nickname: XP-438902
Channel: #dad
Channelpassword: pass
This kind of information should help network administrators and perhaps also other security-interested people to protect their network / environment. If you are interested in such a feed, please contact me (thorsten [dot] holz [at] gmail [dot] com).
BTW: the above mentioned botnet is still live after a couple of weeks. Some details about it:
:RE 001 XP-438902 :Welcome to the RE server XP-438902
:RE 002 XP-438902 :Your host is RE, running version 5.5.2453
:RE 003 XP-438902 :This server was created Sep 9 2000 at 01:20:51 PDT
:RE 004 XP-438902 RE 5.5.2453 aioxz abcdefhiklmnoprstuvxyz
:RE 251 XP-438902 :There are 2760 users and 2705 invisible on 1 servers
:RE 252 XP-438902 2 :operator(s) online
:RE 253 XP-438902 4 :unknown connection(s)
:RE 254 XP-438902 17 :channels formed
:RE 255 XP-438902 :I have 2760 clients and 0 servers
:RE 265 XP-438902 :Current local users: 2760 Max: 7967
:RE 266 XP-438902 :Current global users: 2760 Max: 7967
:RE 422 XP-438902 :MOTD File is missing
".
