We have received information about a suspected Rovnix botnet controller currently using at least 2 domains ( mashevserv [.]com and ericpotic [.]com) pointing to the same IP address of 188.8.131.52 (AS 44050). This is the information that we currently have available that should help identify if any hosts in your network is currently contacting this botnet: mashevserv[.]com/config.php?version=[value here]&user=[value here]&server=[value here]&id=[value here]&crc=[value here]&aid=[value here] is where the compromised clients send an HTTP GET request to when requesting a configuration file. If the correct values are inputted the server will return an encrypted configuration file. mashevserv[.]com/admin appears to be the admin console ericpotic[.]com/task.php has similar values appended to it an when the GET request is done it appears to be some sort of check-in to tell the server it is aliveRead More...
- Detained 13 members of the criminal community, "earned" via Internet virus about 70 million rubles December 8, 2013
- NatWest online services hit by cyber attack December 8, 2013
- "njRAT", The Saga Continues http://t.co/u8nipkXwl4 http://t.co/XtItoTsY5f December 7, 2013
- ZeroAccess Botnet Down, But Not Out December 7, 2013
- The state of targeted attacks December 7, 2013
Tagsapi apple archives article browser bruce schneier business china copyright development director downloads education enterprise events facebook feeds gfi government hackers hacking infrastructure internet linkedin linux management mcafee microsoft network networks news opinion podcasts science security social-media south-africa symantec team cyrmu technology united-kingdom united-states videos vulnerability windows