[AusNOG] Flows to indicating bot or keylogger activity (AUSCERT#20078b140)

matthew at auscert.org.au matthew at auscert.org.au
Mon Mar 5 18:06:55 EST 2007

Hash: SHA1

Greetings all,

We've received some incident information that indicates that there is a
bot network command and control hosted on:

on port 80 - specifically the request would be to:

  hxxp:// /myhome /in. php

The bots in question are taking their DDoS instructions from there.  So
if you have any flows toward that then that may indicate you have a

Alternatively it also could indicate a keylogger trojan known as Bzub is
logging compromised account credentials.  We've had a recent incident where
a trojan dropper was spammed heavily that ultimately pulled down the Bzub
trojan from (url modified as trojan is still there):

  hxxp://marketing-know-how. com/products /bild_album. exe

and this keylogger logs to:

  hxxp:// /sqlstat /info. php

All up, traffic to is probably a sign of bad things.  That
being said - if anyone has what they think are bot infections relating to
this we would be very interested in hearing about it.  We are particularly
keen to get a sample of the bot itself.

Any feedback greatly appreciated.

Thanks for your time,

- -- Matthew McGlashan --
Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
(AusCERT)                                   | Fax:     +61 7 3365 7031
The University of Queensland                | WWW:     www.auscert.org.au
Qld 4072 Australia                          | Email: auscert at auscert.org.au

Version: GnuPG v1.4.6 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967


More information about the AusNOG mailing list