Monday, February 10, 2014

Nigerian Citadel on 5.56.133.47

Citadel - Nigerian Admin, 121 bots

inetnum:        5.56.133.0 - 5.56.133.255
netname:        OneGbits
descr:          1 Gbits Com
country:        NL

We have seen Citadel on this OneGbits network before. Hmm..


At first it seems pretty standard, nothing too interesting here.


Someone loved this botnet:
121 bots
+200k reports


Bots


Open Directory listings.
Hmm..There are more than one panel on this machine.
Not too many bots in these ones.

A malware sample.

nforever.exe
474af7ac6f494a9c5ba1dcd97c72dc6a



As you can see from the screenshots, this is the url to the panel:

hxxp://5.56.133.47/office/ben/server/cp.php?m=stats_main

I dropped a shell and had a peek at the logs - grep for what we need.

41.190.3.178 - - [07/Jan/2014:12:48:02 -0800] "GET /office/ben/server/install/ HTTP/1.1" 200 3685
41.190.3.178 - - [07/Jan/2014:12:49:05 -0800] "GET /office/ben/server/cp.php?m=login HTTP/1.1" 200 1470
41.190.3.178 - - [07/Jan/2014:12:49:16 -0800] "GET /office/ben/server/cp.php?m=home HTTP/1.1" 200 8293
41.138.185.216 - - [20/Jan/2014:23:29:39 -0800] "GET /office/ben/server/cp.php?m=reports_db&bots=ADMIN-PC_E532648A321E07F6&botnets=&ips=&countries=&q=&qstop=&urlmask=&blt=0&online=0&cs=0&grouping=0&nonames=0&rm=0&date=140121 HTTP/1.1" 200 627


We can see the installation occurred on 7-Jan-2014 and from the control panel, the first activity was 9-Jan-2014. IP address of installer and user, Lagos Nigeria.

It looks like some Yahoo boys are back at their old tricks.

I have taken this pile of junk down.


There is more to this story. Coming soon.

No comments:

Post a Comment