[nsp-sec] 66.139.78.164 = C&C?
Jose Nazario
jose at arbor.net
Mon Apr 14 11:01:02 EDT 2008
On Mon, 14 Apr 2008, Chris Calvert wrote:
> Can anyone confirm seeing botnet C&C traffic for this host?
i have several samples that *attempt* to contact it on TCP port 9798, but
no indications they are able to. the DNS name they're using is
gizmo.godaddyy.net
which (at least sometimes) answers with that IP:
<gethostbyname requested_host="gizmo.godaddyy.net"
resulting_addr="82.146.52.179">
<more_resulting_addr>
<resulting_addr>143.248.133.157</resulting_addr>
<resulting_addr>66.139.78.164</resulting_addr>
<resulting_addr>70.61.92.197</resulting_addr>
<resulting_addr>72.20.45.2</resulting_addr>
<resulting_addr>72.20.45.3</resulting_addr>
<resulting_addr>72.20.45.4</resulting_addr>
<resulting_addr>72.20.45.5</resulting_addr>
</more_resulting_addr></gethostbyname>
here's how it's trying to connect;
<irc_data username="XP-SP2" hostname="x" servername="x"
realname="HOSTNAME" password="su1c1d3" nick="\00\USA\x70chlwnk7"
non_rfc_conform="1"/>
testing manually i see it's a bouncer:
$ nc 66.139.78.164 9798
<<< :psyBNC-2.3.2-4
<<< :psyBNC-2.3.2-4
>>> PASS su1c1d3
>>> NICK \00\USA\x70 chlwnk7
>>> USER XP-SP2 x x :MYHOST
<<< ERROR :Closing Link: \00\USA\x70[HOSTNAME] ((-psyBNC) Wrong Password.
Disconnecting.)
looks live.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list