Dridex 3/31/2015 for botnets 120 and 125

Dridex 3/31/2015 for botnets 120 and 125. Note that these are found in the malware. Some may already be inactive

Loader IPs for 125:
91.230.60.219:8080
202.44.54.5:8080
176.108.1.17:8080
66.110.179.66:8080

Redirects for 125:
<redirects>
<redirect name="1st" vnc="0" socks="0" uri="http://192.254.174.231:8080/userexperiences" timeout="20">webstsomni.js</redirect>
<redirect name="2nd" vnc="1" socks="1" uri="http://192.254.174.231:8080/gatheredstats" timeout="20">userexperiences30.js</redirect>
<redirect name="vbv1" vnc="0" socks="0" postfwd="1" uri="http://37.59.96.74:8080/logs/dtukvbv/js.php" timeout="20">/logs/dtukvbv/js.php</redirect>
<redirect name="vbv2" vnc="0" socks="0" postfwd="1" uri="http://37.59.96.74:8080/logs/dtukvbv/in.php" timeout="20">/logs/dtukvbv/in.php</redirect>
</redirects>

Nodes for 125
<node>
87.236.215.103:80
107.191.46.222:80
107.191.46.222:8000
185.91.175.39:80
128.199.203.165:80
95.163.121.178:80
46.101.38.178:80
</node>

Loader IPs for 120:
188.120.225.17:8080
82.151.131.129:8080
95.163.121.33:80
121.50.43.175:8080
92.63.88.83:80

Redirects for 120
<redirects>
<redirect name="1st" vnc="0" socks="0" uri="http://62.109.4.230:8080/addons" timeout="20">twister5.js</redirect>
<redirect name="2nd" vnc="1" socks="1" uri="http://62.109.4.230:8080/webuibuilder" timeout="20">commonuifunc.js</redirect>
<redirect name="tgp" vnc="1" socks="1" uri="http://62.109.4.230:8080/webuibuilder" timeout="20">notracking.js</redirect>
<redirect name="rbs_fake" vnc="0" socks="0" uri="http://188.226.168.84:8080/rbs_logon/index.php" timeout="40">https://www.bankline.rbs.com/</redirect>

<node>
5.135.28.104:80
192.64.11.232:80
27.54.174.181:80
2.194.41.9:8000
222.234.230.239:8000
1.164.114.195:80
46.8.136.213:8000
176.223.48.44:1016
77.74.103.150:80
107.191.46.222:80
188.226.129.49:80
46.19.143.151:80
45.55.154.235:80
87.236.215.105:80
199.201.121.169:80
</node>