[nsp-sec] Botnet controller: 216.255.178.122:443 (Intercage *cough*)
Stephen Gill
gillsr at cymru.com
Thu Jan 24 13:48:51 EST 2008
Yes, we've seen it.
It appears to open up a reverse connect bindshell back to that IP+port.
EG:
\x00\x00\x00\x00\x00\x00
Microsoft Windows XP [Version 5.1.2600]
\x0d\x0a(C) Copyright 1985-2001 Microsoft Corp.\x0d\x0a
\x0d\x0a\x00\x00\x00\x00
C:\Documents and Settings\Administrator>
Cheers,
Steve, Team Cymru.
On 1/24/08 3:12 AM, "Lawrence Baldwin" <baldwinl at mynetwatchman.com> wrote:
> ----------- nsp-security Confidential --------
>
> I've got a piece of malware (virustotal attached) that calls out to the
> above IP/port...it's a hash we've never seen before and was used in a very
> high-profile attack:
>
> # md5sum mstsk.ex_
> 94e07fd87cd033a9af4d47301270831c mstsk.ex_
>
> # sha1sum mstsk.ex_
> 8e87ce756067cb0e830ebb0c8059c54e9581062c mstsk.ex_
>
>
> The control tcp/RSTs incoming connections...at least from my IPs.
>
> Is anyone familiar with this controller and it's function?
>
>
> Regards,
>
> Lawrence.
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list