[Xylitol]

Trojan.Spambot: Tedroo

infos:
https://www.mysonicwall.com/sonicalert/ ... cle&id=317
http://www.bitdefender.com/VIRUS-100036 ... edroo.html

20/42 >> 47.6%
http://www.virustotal.com/file-scan/rep ... 1306935223

Code: Select all

220 mx.google.com ESMTP e25si2595928anp.203
HELO mx1.jbsl.com
250 mx.google.com at your service
MAIL FROM:<kdkddfbf@uaag.com>
250 2.1.0 OK e25si2595928anp.203
RCPT TO:<japanisalie@gmail.com>
250 2.1.5 OK e25si2595928anp.203
DATA
354  Go ahead e25si2595928anp.203
Received: from [197.148.108.118] ([193.165.191.159] helo=localhost.localdomain)
.by smtpn.cmffex.com (envelope-from <kdkddfbf@uaag.com>)
.(ecelerity 3.0.22.990062 r(61761)) with ESMTP
.id 39eE-476-4052e629Y6; Wed, 1 Jun 2011 04:04:30 +0100
To: japanisalie@gmail.com
Message-Id: <201106011408.YZNRH659@qhug1.com>
Date: Wed, 1 Jun 2011 04:01:04 +0100
Sender: kdkddfbf@uaag.com
From: "Gucci Louis.Vuitton" <kdkddfbf@uaag.com>
Mime-Version: 1.0
Subject: Replica-SHOP : Luxury Watches, Bags, Shoes vzi
Content-Type: text/plain;
.charset="us-ascii"
Content-Transfer-Encoding: 8bit

Super Replicas - Luxury Watches, Bags, Jewelry, Phones, Shoes - Unbelievable Pricing!
Watch shows your status! Girls love cool watch! ctl

http://iisnv.traincold.ru

.
550-5.7.1 [82.238.120.144       7] Our system has detected that this message is
550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,
550-5.7.1 this message has been blocked. Please visit                          
550-5.7.1 http://mail.google.com/support/bin/answer.py?hl=en&answer=188131 for
550 5.7.1 more information. e25si2595928anp.203

[C4$h]

Hello, knows anyone here new information regarding the Grum bots?
http://krebsonsecurity.com/2012/08/insi ... um-botnet/
I will always whisper the source would be found in the network analysis.
Furthermore, I, the panel of Grum bots sent.
Does a more info or has binary files, source of the bots?

Thank you

best regards

[Xylitol]

From what's i've saw the 'leaked' package is absolutely broken.
I've released a small fix for the panel anyway (i was curious to see the interface) of course my fix can't be used for 'real case' there is too much work to do and the php code is really ugly, i don't know who coded the web app but... :?

As see here some actions was took: http://www.kernelmode.info/forum/viewto ... 70&p=14752
But Tedroo guys still continue to use it, current version of grum is 722 and the leaked source is version 447.
There is also some people who like to show-off that they have 'latest' grum, have a look on the html file in attachement and on Spammer.Win32.Tedroo.gen!B.zip for a bin of the latest version.
https://www.virustotal.com/en/file/e497 ... 386885152/

[C4$h]

Can you tell me where I can find the leaked source version?

Thank you

yours sincerely,

[Xylitol]

Search on internet, i won't share it here.

[grum]

:lol: http://cybercrime-tracker.net/vx/GRUM.zip lame pack for all ( not full )

it's real big projects ~ 5 year by ukraina coder in Odes, Ukraine