[nsp-sec] Large injection AS4134, lots of upstreams (AS4812 also involved)

Gong, Yiming yiming.gong at xo.com
Wed Apr 23 12:02:16 EDT 2008 

Hi Brian,

Would you mind I pass your list to CT guys? They need some evidences to
take action, thanks

Regards,
 
Yiming
 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Brian Eckman
> Sent: Wednesday, April 23, 2008 10:18 AM
> To: Smith, Donald
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Large injection AS4134, lots of 
> upstreams (AS4812 also involved)
> 
> ----------- nsp-security Confidential --------
> 
> FWIW, Infected clients are given a laundry list of malware to 
> download, 
> including:
> 
> hXXp://1.haoliuliang.net/ma/1.exe
> hXXp://1.haoliuliang.net/ma/2.exe
> hXXp://1.haoliuliang.net/ma/3.exe
> hXXp://1.haoliuliang.net/ma/4.exe
> hXXp://1.haoliuliang.net/ma/5.exe
> hXXp://1.haoliuliang.net/ma/6.exe
> hXXp://1.haoliuliang.net/ma/7.exe
> hXXp://1.haoliuliang.net/ma/8.exe
> hXXp://1.haoliuliang.net/ma/9.exe
> hXXp://1.haoliuliang.net/ma/10.exe
> hXXp://2.haoliuliang.net/ma/11.exe
> hXXp://2.haoliuliang.net/ma/12.exe
> hXXp://2.haoliuliang.net/ma/13.exe
> hXXp://2.haoliuliang.net/ma/14.exe
> hXXp://2.haoliuliang.net/ma/15.exe
> hXXp://2.haoliuliang.net/ma/16.exe
> hXXp://2.haoliuliang.net/ma/17.exe
> hXXp://2.haoliuliang.net/ma/18.exe
> hXXp://2.haoliuliang.net/ma/19.exe
> hXXp://2.haoliuliang.net/ma/20.exe
> hXXp://2.haoliuliang.net/ma/21.exe
> hXXp://2.haoliuliang.net/ma/22.exe
> hXXp://2.haoliuliang.net/ma/23.exe
> 
>  > host 1.haoliuliang.net
> 1.haoliuliang.net has address 222.73.44.134
> 
>  > host 2.haoliuliang.net
> 2.haoliuliang.net has address 222.73.44.135
> 
> AS      | IP               | AS Name
> 4812    | 222.73.44.134    | CHINANET-SH-AP China Telecom (Group)
> 
> PEER_AS | IP               | AS Name
> 4134    | 222.73.44.135    | CHINANET-BACKBONE No.31,Jin-rong Street
> 
> Non-infected clients are drawn to gg.haoliuliang.net and 
> gg.haoliuliang.com, 
> but I've only seen infected clients going to 1.haoliuliang.net and 
> 2.haoliuliang.net.
> 
> Brian
> 
> Smith, Donald wrote:
> > ----------- nsp-security Confidential --------
> > 
> > If you google for www.nihaorr1.com you will find the target 
> of the "large injection site" that several av companies and 
> some certs are talking about today. This resolves to 
> 219.153.46.28. From there users get directed to a site that 
> trys to exploit several applications.
> > Some details here:
> > http://securitylabs.websense.com/content/Alerts/3070.aspx
> > http://isc.sans.org/diary.html?n&storyid=4294
> >  
> >  
> > Here is the actual google search 
> >  
> > 
> http://www.google.co.uk/search?q=%3Cscript+src%3Dhttp://www.ni
> haorr1.com&hl=en&start=0&sa=N
> >  
> >  
> > bash-3.1$ whois -h whois.cymru.com 219.153.46.28
> > AS      | IP               | AS Name
> > 4134    | 219.153.46.28    | CHINANET-BACKBONE No.31,Jin-rong Street
> > bash-3.1$ whois -h upstream-whois.cymru.com 219.153.46.28
> > PEER_AS | IP               | AS Name
> > 174     | 219.153.46.28    | COGENT Cogent/PSI
> > 703     | 219.153.46.28    | UUNET - MCI Communications 
> Services, Inc. d/b/a Ve
> > izon Business
> > 1239    | 219.153.46.28    | SPRINTLINK - Sprint
> > 2828    | 219.153.46.28    | XO-AS15 - XO Communications
> > 2914    | 219.153.46.28    | NTT-COMMUNICATIONS-2914 - NTT 
> America, Inc.
> > 3257    | 219.153.46.28    | TISCALI-BACKBONE Tiscali Intl 
> Network BV
> > 3320    | 219.153.46.28    | DTAG Deutsche Telekom AG
> > 3549    | 219.153.46.28    | GBLX Global Crossing Ltd.
> > 3561    | 219.153.46.28    | SAVVIS - Savvis
> > 11164   | 219.153.46.28    | TRANSITRAIL - National LambdaRail, LLC
> > 17888   | 219.153.46.28    | SINGTEL-HK SingTel Hong Kong Limited
> >  
> > If someone could get this taken down that would be most beneficial.
> >  
> > donald.smith at qwest.com giac
> >  
> > 
> > 
> > This communication is the property of Qwest and may contain 
> confidential or
> > privileged information. Unauthorized use of this 
> communication is strictly 
> > prohibited and may be unlawful.  If you have received this 
> communication 
> > in error, please immediately notify the sender by reply 
> e-mail and destroy 
> > all copies of the communication and any attachments.
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security counter-measures.
> > _______________________________________________
> 
> 
> -- 
> Brian Eckman, Security Analyst
> University of Minnesota
> Office of Information Technology
> Security & Assurance
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list