Virus Blog

We recently came across an irc botnet with mostly german zombie machines. Our botnet detection sensor at RWTH Aachen University detected one infected host. We are currently monitoring the botnet using our infiltrator software and noticed about 188 different bots in the channel.

Several binaries have been advertised in the channel so far:

•  d7867796764fe9095d114f1a02b2662e IE.exe
• 4fcc736149b8ac46ee31d3763544e058 anita.exe
• 1059b51a5e4a702895060f8a4c8a8261 mof.exe

Acording to the traffic captured from the infected host and the sandbox reports of the binaries, the bot herder uses the botnet to play pennergame.de, some kind of browsergame...

We see a lot of T-Online, Arcor, and einsundeins customers being infected and interestingly according to the country abbreviation a lot of hosts from Enugu (Nigeria).

We are currently analysing several thound spam messages for research purposes and also doing some statistics. The one thing i like is the graph about what x-mailers were used for sending the spam. We have analysed 136.635 spam emails and here is what we discovered:

So if you want to stop more than 70 percent of spam in the internet, just go ahead and drop mails from outlook express =)