Tuesday, February 11, 2014

Citadel Network hosted on OneGbits, NL

I discovered and dismantled quite a large network of Citadel botnets last week.
More details on this to follow. 

Hosting network:
inetnum:        5.56.133.0 - 5.56.133.255
netname:        OneGbits
descr:          1 Gbits Com
country:        NL

Statistics Summary:
7 servers
34 control panels
1086 bots total  - (you're welcome people)


The chart below details what IP had Citadel control panels installed. The name listed is the name of the botnet and its corresponding encryption key. An asterisk represents that a malware binary was found in this directory too. (Malwr.com links at the bottom of post)

5.56.133.46 - 362 bots
bomb - 1
choosen - 6
drsmart - 110
drsmart1 - 2
godwin - 120
jo - 80 *
kazeem - 4
pelumi - 8
slimmy - 6
vip - 25

5.56.133.47 - 213 bots
ben - 121
bobby - 49
dacrown - 0
forever - 23 *
macdavid - 19
prince - 1

5.56.133.44 - 299 bots
babs - 62
dammy - 28
hope - 209

5.56.133.74 - 125 bots
dayo - 3
iguy - 1
ogbos - 2
ogoguy - 2
sender - 117 *

5.56.133.71 - 6 bots
larry-uk - 6

5.56.133.72 - 66 bots
abbey - 3
crown - 9
timo - 2 *
xperiaz - 52 *

5.56.133.73 - 15 bots
blessbayo - 2
drgoody - 9
ebony - 2
hammed - 1
isiaka - 1



Screenshots 
Looking at Citadel bots though WSO shell using MySQL client.













Malware Samples:
https://malwr.com/analysis/ZTE1OGFkNTJkZDkzNDQ4Yzg5MzkzYzY5ZjE5ODUxOTU/
https://malwr.com/analysis/NGIyNWJlMWRjMjRkNGEzYWJmMjI1MzRiN2NlYjczYjY/
https://malwr.com/analysis/YzE2MmI3MTA1MTU2NGFiMzgwOGQ2ZmM2YWUyZTM2MmY/
https://malwr.com/analysis/ZjE0MzBlM2QwMDdkNDJiMzlmZTVhZmM1NjI5MjY1YzQ/
https://malwr.com/analysis/NjlmMDliOGZmZDU1NGNjYmJjMzZiMjkwN2E0NjgyMjk/

No comments:

Post a Comment