[nsp-sec] Botnet controller: 216.255.178.122:443 (Intercage cough)

Thu Jan 24 05:12:32 EST 2008

I've got a piece of malware (virustotal attached) that calls out to the
above IP/port...it's a hash we've never seen before and was used in a very
high-profile attack:

# md5sum mstsk.ex_
94e07fd87cd033a9af4d47301270831c  mstsk.ex_

# sha1sum mstsk.ex_
8e87ce756067cb0e830ebb0c8059c54e9581062c  mstsk.ex_

The control tcp/RSTs incoming connections...at least from my IPs.

Is anyone familiar with this controller and it's function?

Regards,

Lawrence.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mstsk_virustotal.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080124/8b4b0f64/attachment-0001.txt>

[nsp-sec] Botnet controller: 216.255.178.122:443 (Intercage *cough*)

[nsp-sec] Botnet controller: 216.255.178.122:443 (Intercage cough)