Log In     RegMe         


New Botnet Elite Fuckers !!!

']['€AM€LiT€ Forum - News, Reports and Alerts

 
AuthorMessage
 Max_Mafiotu

  2009-07-22
  18:38:17
 
Quote
• EViL][NiGhT •: Da Mai Departe Mesaj Asta Cum Spargi Un Id??? ( Un Id Nu Se Sparge  )  Dar.... Poti Trimite Un E-mail Sau X.exe de Ex: Unuia Si Vei Primii E-mail Cu Adresa E-mail + Parola - http://romania.elitte-squad.ro/x.exe

____________________
 Max_Mafiotu

  2009-07-22
  18:43:58
 
Quote
http://www.virustotal.com/analisis/879734d23ad41aa67deac155d268ffe5ac6c728696e60ba70f38b0b6dbbf27cc-1248284852
 Vektor

  2009-07-25
  09:33:21
 
Quote
Thanks for the Virustotal link, I got 2 different x.exe's from that address (virustotal: 1 , 2) and now I got the 3rd. Anyway, the botnet server is the same -> hashcheri.elitte-squad.ro:1111 , channel: #te@sucks . The difference is the login password for bots and the fact that the !remove function was left out.

hashcheri.elitte-squad.ro:1111 wrote:
[10:13] Private message from [-ES-]-069195: <[-ES-]-069195> MAIN// Password accepted.
[10:13] Private message from [-ES-]-069195: <[-ES-]-069195> FILE// Deleted 'c:\boot.ini'.
[10:13] Private message from [-ES-]-069195: <[-ES-]-069195> FILE// Error: Access is denied <5>.
[10:13] Private message from [-ES-]-069195: <[-ES-]-069195> MAIN// Rebooting system.
[10:13] *** Parts: [-ES-]-069195
[10:13] Private message from [-ES-]-302114: <[-ES-]-302114> FILE// Error: The system cannot find the file specified <2>.
[10:13] Private message from [-ES-]-302114: <[-ES-]-302114> MAIN// Rebooting system.
[10:13] *** Parts: [-ES-]-302114
[10:13] <my.server.name> [-ES-]-302114 :No such nick
[10:13] Private message from [-ES-]-634777: <[-ES-]-634777> MAIN// Password accepted.
[10:13] Private message from [-ES-]-634777: <[-ES-]-634777> FILE// Deleted 'c:\boot.ini'.
[10:13] Private message from [-ES-]-634777: <[-ES-]-634777> MAIN// Rebooting system.
[10:13] *** Parts: [-ES-]-634777
[10:13] <my.server.name> [-ES-]-634777 :No such nick
[10:13] Private message from [-ES-]-863571: <[-ES-]-863571> MAIN// Password accepted.
[10:13] Private message from [-ES-]-863571: <[-ES-]-863571> FILE// Error: Access is denied <5>.
[10:13] Private message from [-ES-]-863571: <[-ES-]-863571> MAIN// Rebooting system.
[10:13] Private message from [-ES-]-863571: <[-ES-]-863571> MAIN// Crashing bot.
[10:13] *** Parts: [-ES-]-863571
[10:14] *** Joins: [-ES-]-630636
[10:14] Private message from [-ES-]-630636: <[-ES-]-630636> MAIN// Password accepted.
[10:14] Private message from [-ES-]-630636: <[-ES-]-630636> FILE// Error: The system cannot find the file specified <2>.
[10:14] Private message from [-ES-]-630636: <[-ES-]-630636> MAIN// Rebooting system.
[10:14] *** Parts: [-ES-]-630636
[10:15] *** Joins: [-ES-]-329946
[10:15] *** Joins: [-ES-]-983521
[10:17] *** Joins: [-ES-]-698494
[10:19] Private message from [-ES-]-329946: <[-ES-]-329946> MAIN// Password accepted.
[10:19] Private message from [-ES-]-329946: <[-ES-]-329946> FILE// Error: Access is denied <5>.
[10:19] Private message from [-ES-]-329946: <[-ES-]-329946> MAIN// Rebooting system.
[10:19] *** Parts: [-ES-]-329946
[10:19] Private message from [-ES-]-698494: <[-ES-]-698494> MAIN// Password accepted.
[10:19] Private message from [-ES-]-698494: <[-ES-]-698494> FILE// Error: The system cannot find the file specified <2>.
[10:19] Private message from [-ES-]-698494: <[-ES-]-698494> MAIN// Rebooting system.
[10:19] Private message from [-ES-]-698494: <[-ES-]-698494> MAIN// Crashing bot.
[10:19] *** Parts: [-ES-]-698494
[10:19] Private message from [-ES-]-983521: <[-ES-]-983521> MAIN// Password accepted.
[10:19] Private message from [-ES-]-983521: <[-ES-]-983521> FILE// Error: The system cannot find the file specified <2>.
[10:19] Private message from [-ES-]-983521: <[-ES-]-983521> MAIN// Rebooting system.
[10:19] *** Parts: [-ES-]-983521
[10:19] <my.server.name> [-ES-]-983521 :No such nick
[10:21] *** Joins: [-ES-]-565690
[10:21] *** Joins: [-ES-]-322559
[10:21] Private message from [-ES-]-322559: <[-ES-]-322559> MAIN// Password accepted.
[10:21] Private message from [-ES-]-322559: <[-ES-]-322559> FILE// Error: Access is denied <5>.
[10:21] Private message from [-ES-]-322559: <[-ES-]-322559> MAIN// Rebooting system.
[10:21] *** Parts: [-ES-]-322559
[10:21] Private message from [-ES-]-565690: <[-ES-]-565690> MAIN// Password accepted.
[10:21] Private message from [-ES-]-565690: <[-ES-]-565690> FILE// Error: The system cannot find the file specified <2>.
[10:21] Private message from [-ES-]-565690: <[-ES-]-565690> MAIN// Rebooting system.
[10:21] *** Parts: [-ES-]-565690
[10:21] <my.server.name> [-ES-]-565690 :No such nick
[10:22] *** Joins: [-ES-]-565690
[10:22] *** Joins: [-ES-]-972012
[10:22] *** Joins: [-ES-]-902035
[10:23] Private message from [-ES-]-565690: <[-ES-]-565690> MAIN// Password accepted.
[10:23] Private message from [-ES-]-565690: <[-ES-]-565690> FILE// Error: The system cannot find the file specified <2>.
[10:23] *** Parts: [-ES-]-565690
[10:23] Private message from [-ES-]-902035: <[-ES-]-902035> MAIN// Password accepted.
[10:23] Private message from [-ES-]-902035: <[-ES-]-902035> FILE// Error: Access is denied <5>.
[10:23] Private message from [-ES-]-902035: <[-ES-]-902035> MAIN// Rebooting system.
[10:23] Private message from [-ES-]-902035: <[-ES-]-902035> MAIN// Crashing bot.
[10:23] *** Parts: [-ES-]-902035
[10:23] Private message from [-ES-]-972012: <[-ES-]-972012> MAIN// Password accepted.
[10:23] Private message from [-ES-]-972012: <[-ES-]-972012> FILE// Error: The system cannot find the file specified <2>.
[10:23] Private message from [-ES-]-972012: <[-ES-]-972012> MAIN// Rebooting system.
[10:23] *** Parts: [-ES-]-972012
[10:23] <my.server.name> [-ES-]-972012 :No such nick
[10:24] *** Joins: [-ES-]-014994
[10:24] *** Joins: [-ES-]-776350
[10:25] Private message from [-ES-]-014994: <[-ES-]-014994> MAIN// Password accepted.
[10:25] Private message from [-ES-]-014994: <[-ES-]-014994> FILE// Error: The system cannot find the file specified <2>.
[10:25] Private message from [-ES-]-014994: <[-ES-]-014994> FILE// Rename: 'c:\ntldr' to: 'c:\nt_ldr'.
[10:25] Private message from [-ES-]-014994: <[-ES-]-014994> MAIN// Rebooting system.
[10:25] Private message from [-ES-]-014994: <[-ES-]-014994> MAIN// Crashing bot.
[10:25] *** Parts: [-ES-]-014994
[10:25] Private message from [-ES-]-776350: <[-ES-]-776350> MAIN// Password accepted.
[10:25] Private message from [-ES-]-776350: <[-ES-]-776350> FILE// Rename: 'c:\boot.ini' to: 'c:\boot.bak'.
[10:25] Private message from [-ES-]-776350: <[-ES-]-776350> FILE// Rename: 'c:\ntldr' to: 'c:\nt_ldr'.
[10:25] Private message from [-ES-]-776350: <[-ES-]-776350> MAIN// Rebooting system.
[10:25] Private message from [-ES-]-776350: <[-ES-]-776350> MAIN// Crashing bot.
[10:25] *** Parts: [-ES-]-776350
[10:44] *** Joins: [-ES-]-650550
[10:45] *** Parts: [-ES-]-650550
[11:15] *** Joins: [-ES-]-923988
[11:17] Private message from [-ES-]-923988: <[-ES-]-923988> MAIN// Password accepted.
[11:17] Private message from [-ES-]-923988: <[-ES-]-923988> FILE// Rename: 'c:\boot.ini' to: 'c:\boot.bak'.
[11:17] *** Parts: [-ES-]-923988
[11:18] *** Joins: [-ES-]-318260
[11:29] *** Joins: EViL][NiGhT
[11:30] Private message from [-ES-]-318260: <[-ES-]-318260> MAIN// Password accepted.
[11:30] Private message from [-ES-]-318260: <[-ES-]-318260> FILE// Error: The system cannot find the file specified <2>.
[11:30] Private message from [-ES-]-318260: <[-ES-]-318260> FILE// Error: The system cannot find the file specified <2>.
[11:30] Private message from [-ES-]-318260: <[-ES-]-318260> MAIN// Rebooting system.
[11:30] Private message from [-ES-]-318260: <[-ES-]-318260> MAIN// Crashing bot.
[11:30] *** Parts: [-ES-]-318260
[11:30] <my.server.name>
EViL__NiGh 79.116.233.151 * :EViL][NiGhT
#te@sucks
my.server.name :I'm too lazy to edit ircd.conf
23 1248510590 :seconds idle, signon time
End of /WHOIS list.
[11:30] <my.server.name>
Dark_Knigh dark * :DarK_KnighT
@#te@sucks @#shitload
my.server.name :I'm too lazy to edit ircd.conf
6617 1248428733 :seconds idle, signon time
End of /WHOIS list.
[11:30] <my.server.name> Channel :Users  Name
#te@sucks 3 :
#shitload 1 :
End of /LIST
 Vektor

  2009-07-25
  18:51:06
 
Quote
hashcheri.elitte-squad.ro:1111 wrote:
[20:43] *** Connected
[20:43] *** Looking up your hostname
[20:43] *** Checking Ident
[20:43] *** Join/part showing on
[20:43] *** Couldn't look up your hostname
[20:43] *** No ident response
[20:43] <my.server.name> MODE :Register first.
[20:43] <my.server.name> Welcome to the Internet Relay Network [-ES-]-668505
Your host is my.server.name, running version beware1.5.7
This server was created Tue Jul 13 2004 at 20:36:07 GMT
my.server.name beware1.5.7 dgikoswx biklmnoprstv
MAP SILENCE=15 WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=100 MAXBANS=45 :are su
[20:43] pported by this server
[20:43] <my.server.name> NICKLEN=30 TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,rimnpst CASEMAPPING=rfc1459 :are supported by this server
There are 6 users and 0 invisible on 1 servers
1 :unknown connection(s)
2 :channels formed
I have 6 clients and 0 servers
[20:43] *** [-ES-]-668505 Highest connection count: 6 (6 clients)
[20:43] <my.server.name> MOTD File is missing
[20:43] *** [-ES-]-668505 on 1 ca 1(4) ft 10(10)
[20:43] *** Joins: EViL][NiGhT
[20:43] *** Joins: [-ES-]-948879
[20:43] *** Joins: [-ES-]-090527
[20:43] *** Joins: DarK_KnigT
[20:45] <[-ES-]-965398> [-ES-]-965398 is kicking DarK_KnigT because: fraiere
[20:45] *** Parts: DarK_KnigT
[20:45] <[-ES-]-965398> [-ES-]-965398 is kicking EViL][NiGhT because: fraiere
[20:45] *** Parts: EViL][NiGhT
[20:46] *** Parts: [-ES-]-965398
[20:46] *** Joins: [-ES-]-965398
[20:46] Private message from [-ES-]-090527: <[-ES-]-090527> MAIN// Password accepted.
[20:46] Private message from [-ES-]-090527: <[-ES-]-090527> FILE// Rename: 'c:\boot.ini' to: 'c:\boot.bak'.
[20:46] Private message from [-ES-]-090527: <[-ES-]-090527> FILE// Rename: 'c:\ntldr' to: 'c:\nt_ldr'.
[20:46] Private message from [-ES-]-090527: <[-ES-]-090527> MAIN// Rebooting system.
[20:46] *** Parts: [-ES-]-090527
[20:46] <my.server.name> [-ES-]-090527 :No such nick
[20:46] Private message from [-ES-]-948879: <[-ES-]-948879> MAIN// Password accepted.
[20:46] Private message from [-ES-]-948879: <[-ES-]-948879> FILE// Rename: 'c:\boot.ini' to: 'c:\boot.bak'.
[20:46] Private message from [-ES-]-948879: <[-ES-]-948879> FILE// Rename: 'c:\ntldr' to: 'c:\nt_ldr'.
[20:47] Private message from [-ES-]-948879: <[-ES-]-948879> MAIN// Rebooting system.
[20:47] *** Parts: [-ES-]-948879
[20:47] <my.server.name> [-ES-]-948879 :No such nick
[20:47] *** Parts: [-ES-]-965398
[20:47] *** Disconnected


hashcheri.elitte-squad.ro:1111 wrote:

[20:47] *** Connecting to hashcheri.elitte-squad.ro:1111...
[20:47] *** Connection timeout
[20:47] *** Connecting to hashcheri.elitte-squad.ro:1111...
[20:48] *** Connection timeout
[20:49] *** Connecting to hashcheri.elitte-squad.ro:1111...
[20:50] *** Connection timeout
[20:50] *** Connecting to hashcheri.elitte-squad.ro:1111...
[20:50] *** Connection timeout
 Max_Mafiotu

  2009-07-25
  21:33:07
 
Quote
gj scoate si mie banu de pe range please !!!
 Vektor

  2009-07-25
  21:38:31
 
Quote
Unbanned.
 Max_Mafiotu

  2009-07-25
  21:42:44
 
Quote
ms bro >:D<
 Max_Mafiotu

  2009-07-25
  21:45:54
 
Quote
Max_Mafiotu wrote:
ms bro dar cu ce le decryptezi ?
 Vektor

  2009-07-25
  21:51:07
 
Quote
Se decripteaza singuri in debugger.
 Max_Mafiotu

  2009-07-25
  21:52:29
 
Quote
ce programe folosesti ?
 [-TE-]-Methodman

  2009-07-25
  21:53:58
 
Quote
@Max_Mafiotu cam multe intrebari ,nu crezi... si de unde pana unde atata tupeu sa mai intri aici?
 Vektor

  2009-07-25
  21:57:41
 
Quote
Asta a mai intrebat cineva chiar intr-un topic la care ai dat reply.
 Max_Mafiotu

  2009-07-25
  22:01:06
 
Quote
Methodman mai calm frate ca nu am intrat cu panarama sau dinastea!
 [-TE-]-Methodman

  2009-07-26
  12:05:38
 
Quote
stim destul de bine de ce ai intrat si cred ca ai face bine sa dai duma pe fata fara sa mai lungesti threadu asta aiurea.

BTW;ai ajuns la concluzia ca nu esti in stare sa pui pe picioare un botnet si atunci te-ai gandit ca ar fi mult mai simplu sa "vanezi" alea facute gata? :-D
 Max_Mafiotu

  2009-07-26
  20:17:55
 
Quote
ma Methodman dar de ce sa ma chinui ma sa fac 100000 de botneturi daca voi le spargeti plm... nu merita :)
 Vektor

  2009-08-01
  18:31:30
 
Quote
Quote:
Ionutz Ultras™: Cum Spargi Un Id??? ,( Un Id Nu Se Sparge ) , Dar.... Poti Trimite Un E-mail , Sau HackYahoo.exe Luat De Pe Acest Link-> w w w . fileshare. r o/1382570078.58 , de Ex: Iei Programul De Aici Il Dai Mai Departe Si... Primesti Email Cu Datele Email Victima + Parola


Hack Yahoo.exe.exe is also RxBot, this time binded with a russian virus written in Delphi (Win32.Neshta.A) which creates a svchost.com file and registers it for .exe extension. A WinLicense-encrypted RxBot (compiled: D:\BoTneT\Bot\Rxbot 7.6\Debug\rBot.pdb ) is extracted in Temp\ and executed, the botnet server is again, hashcheri.elitte-squad.ro:1111 , channel #cluj , prefix for bots: [-ES-TS-]- , login password: terrorsquad09 . I don't know how many people remain infected with a trojan that has 100% CPU usage when connected to IRC server (a new "feature" of "RomaNBoT ModeeD By DarK_KnighT "), but as I see, they finally realized they have no good reason to keep that IRC server up (the only bot left was the trojan spreader himself).

hashcheri.elitte-squad.ro:1111 wrote:
[20:24] *** Connecting to hashcheri.elitte-squad.ro:1111...
[20:25] *** Connection refused by target machine
[20:27] *** Connecting to hashcheri.elitte-squad.ro:1111...
[20:27] *** Connection refused by target machine
[20:29] *** Connecting to hashcheri.elitte-squad.ro:1111...
[20:29] *** Connection refused by target machine
 Max_Mafiotu

  2009-08-06
  14:16:52
 
Quote
Vektor , Bagate pe aia din T-S ca stie si aia sa faca botneturi =) poate se pling la tine