[nsp-sec] Large injection AS4134, lots of upstreams (AS4812 also involved)

Brian Eckman eckman at umn.edu
Wed Apr 23 12:16:51 EDT 2008 

Yiming,

Yes, you may pass it along to CT.

Thanks!
Brian

Gong, Yiming wrote:
> Hi Brian,
> 
> Would you mind I pass your list to CT guys? They need some evidences to
> take action, thanks
> 
> Regards,
>  
> Yiming
>  
> 
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net 
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
>> Brian Eckman
>> Sent: Wednesday, April 23, 2008 10:18 AM
>> To: Smith, Donald
>> Cc: nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] Large injection AS4134, lots of 
>> upstreams (AS4812 also involved)
>>
>> ----------- nsp-security Confidential --------
>>
>> FWIW, Infected clients are given a laundry list of malware to 
>> download, 
>> including:
>>
>> hXXp://1.haoliuliang.net/ma/1.exe
>> hXXp://1.haoliuliang.net/ma/2.exe
>> hXXp://1.haoliuliang.net/ma/3.exe
>> hXXp://1.haoliuliang.net/ma/4.exe
>> hXXp://1.haoliuliang.net/ma/5.exe
>> hXXp://1.haoliuliang.net/ma/6.exe
>> hXXp://1.haoliuliang.net/ma/7.exe
>> hXXp://1.haoliuliang.net/ma/8.exe
>> hXXp://1.haoliuliang.net/ma/9.exe
>> hXXp://1.haoliuliang.net/ma/10.exe
>> hXXp://2.haoliuliang.net/ma/11.exe
>> hXXp://2.haoliuliang.net/ma/12.exe
>> hXXp://2.haoliuliang.net/ma/13.exe
>> hXXp://2.haoliuliang.net/ma/14.exe
>> hXXp://2.haoliuliang.net/ma/15.exe
>> hXXp://2.haoliuliang.net/ma/16.exe
>> hXXp://2.haoliuliang.net/ma/17.exe
>> hXXp://2.haoliuliang.net/ma/18.exe
>> hXXp://2.haoliuliang.net/ma/19.exe
>> hXXp://2.haoliuliang.net/ma/20.exe
>> hXXp://2.haoliuliang.net/ma/21.exe
>> hXXp://2.haoliuliang.net/ma/22.exe
>> hXXp://2.haoliuliang.net/ma/23.exe
>>
>>  > host 1.haoliuliang.net
>> 1.haoliuliang.net has address 222.73.44.134
>>
>>  > host 2.haoliuliang.net
>> 2.haoliuliang.net has address 222.73.44.135
>>
>> AS      | IP               | AS Name
>> 4812    | 222.73.44.134    | CHINANET-SH-AP China Telecom (Group)
>>
>> PEER_AS | IP               | AS Name
>> 4134    | 222.73.44.135    | CHINANET-BACKBONE No.31,Jin-rong Street
>>
>> Non-infected clients are drawn to gg.haoliuliang.net and 
>> gg.haoliuliang.com, 
>> but I've only seen infected clients going to 1.haoliuliang.net and 
>> 2.haoliuliang.net.
>>
>> Brian
>>
>> Smith, Donald wrote:
>>> ----------- nsp-security Confidential --------
>>>
>>> If you google for www.nihaorr1.com you will find the target 
>> of the "large injection site" that several av companies and 
>> some certs are talking about today. This resolves to 
>> 219.153.46.28. From there users get directed to a site that 
>> trys to exploit several applications.
>>> Some details here:
>>> http://securitylabs.websense.com/content/Alerts/3070.aspx
>>> http://isc.sans.org/diary.html?n&storyid=4294
>>>  
>>>  
>>> Here is the actual google search 
>>>  
>>>
>> http://www.google.co.uk/search?q=%3Cscript+src%3Dhttp://www.ni
>> haorr1.com&hl=en&start=0&sa=N
>>>  
>>>  
>>> bash-3.1$ whois -h whois.cymru.com 219.153.46.28
>>> AS      | IP               | AS Name
>>> 4134    | 219.153.46.28    | CHINANET-BACKBONE No.31,Jin-rong Street
>>> bash-3.1$ whois -h upstream-whois.cymru.com 219.153.46.28
>>> PEER_AS | IP               | AS Name
>>> 174     | 219.153.46.28    | COGENT Cogent/PSI
>>> 703     | 219.153.46.28    | UUNET - MCI Communications 
>> Services, Inc. d/b/a Ve
>>> izon Business
>>> 1239    | 219.153.46.28    | SPRINTLINK - Sprint
>>> 2828    | 219.153.46.28    | XO-AS15 - XO Communications
>>> 2914    | 219.153.46.28    | NTT-COMMUNICATIONS-2914 - NTT 
>> America, Inc.
>>> 3257    | 219.153.46.28    | TISCALI-BACKBONE Tiscali Intl 
>> Network BV
>>> 3320    | 219.153.46.28    | DTAG Deutsche Telekom AG
>>> 3549    | 219.153.46.28    | GBLX Global Crossing Ltd.
>>> 3561    | 219.153.46.28    | SAVVIS - Savvis
>>> 11164   | 219.153.46.28    | TRANSITRAIL - National LambdaRail, LLC
>>> 17888   | 219.153.46.28    | SINGTEL-HK SingTel Hong Kong Limited
>>>  
>>> If someone could get this taken down that would be most beneficial.
>>>  
>>> donald.smith at qwest.com giac
>>>  
>>>
>>>
>>> This communication is the property of Qwest and may contain 
>> confidential or
>>> privileged information. Unauthorized use of this 
>> communication is strictly 
>>> prohibited and may be unlawful.  If you have received this 
>> communication 
>>> in error, please immediately notify the sender by reply 
>> e-mail and destroy 
>>> all copies of the communication and any attachments.
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of 
>> the nsp-security
>>> community. Confidentiality is essential for effective 
>> Internet security counter-measures.
>>> _______________________________________________
>>
>> -- 
>> Brian Eckman, Security Analyst
>> University of Minnesota
>> Office of Information Technology
>> Security & Assurance
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the 
>> nsp-security
>> community. Confidentiality is essential for effective 
>> Internet security counter-measures.
>> _______________________________________________
>>


-- 
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance

More information about the nsp-security mailing list