[nsp-sec] follow up on spam bounces - the botnet
White, Gerard
Gerard.White at aliant.ca
Thu Jul 3 16:55:41 EDT 2008
Mmmmm... McColo.
I have most (if not all) of the 208.72.168.0/23 subnet blocked. It
currently
holds the award (in my books) of the worst concentration of C&C and
other forms
of malicious activity... Basically ANY flow to this /23 is a 99.9% sign
of TROUBLE.
Some of my notes for 208.72.168.0/23: [NOT FOR SHARING OFF LIST]
208.72.168.47 SRIZBI TCP/46382
208.72.168.53 WOPLA DRIVER
208.72.168.54 WOPLA DRIVER
208.72.168.62 HydraFlux TCP/4448
208.72.168.69 Unknown Spam Bot C&C
208.72.168.72 WOPLA DRIVER
208.72.168.73 WOPLA DRIVER
208.72.168.91 WOPLA DRIVER
208.72.168.101 Unknown but Evil
208.72.168.103 WOPLA DRIVER
208.72.168.107 SRIZBI TCP/4099
208.72.168.111 WOPLA DRIVER
208.72.168.123 WOPLA DRIVER
208.72.168.127 WOPLA DRIVER
208.72.168.130 Unknown but Evil
208.72.168.131 Unknown but Evil
208.72.168.134 SRIZBI TCP/4099
208.72.168.137 SRIZBI TCP/4099
208.72.168.143 SRIZBI TCP/4099
208.72.168.144 SRIZBI TCP/4099
208.72.168.147 WOPLA DRIVER
208.72.168.151 Unknown but Evil
208.72.168.154 WOPLA DRIVER
208.72.168.195 Unknown but Evil
208.72.168.200 WOPLA DRIVER
208.72.168.205 WOPLA DRIVER
208.72.168.220 Unknown but Evil
208.72.168.236 WOPLA DRIVER
208.72.168.250 SRIZBI TCP/4099
208.72.169.2 SRIZBI TCP/4099
208.72.169.9 Unknown but Evil
208.72.169.15 Unknown but Evil POST /data.php
208.72.169.22 SRIZBI TCP/4099
208.72.169.25 SRIZBI TCP/4099
208.72.169.54 Unknown but Evil
208.72.169.55 Unknown but Evil POST /data.php
208.72.169.77 WOPLA DRIVER
208.72.169.79 Eraser
208.72.169.93 LOCKSKY/Nucrypt
208.72.169.107 SRIZBI TCP/4099
208.72.169.110 SRIZBI TCP/4099
208.72.169.134 WOPLA DRIVER
208.72.169.135 SRIZBI TCP/4099
208.72.169.136 SRIZBI TCP/4099
208.72.169.140 WOPLA DRIVER
208.72.169.147 SRIZBI TCP/4099
208.72.169.148 SRIZBI TCP/4099
208.72.169.150 SRIZBI TCP/32412
208.72.169.153 SRIZBI TCP/4099
208.72.169.154 SRIZBI TCP/4099
208.72.169.166 WOPLA DRIVER
208.72.169.190 SRIZBI TCP/4099
208.72.169.191 WOPLA DRIVER
208.72.169.192 WOPLA DRIVER
208.72.169.193 WOPLA DRIVER
208.72.169.194 WOPLA DRIVER
GW
855 - Bell Aliant
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Andreas Bunten
> Sent: Thursday, July 03, 2008 12:44 PM
> To: Stephen Gill
> Cc: nsp-security at puck.nether.net
> Subject: [nsp-sec] follow up on spam bounces - the botnet
>
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hi,
>
> a German university was severely hit by spam bounces and I posted a
list
> of bouncers and later a list of bots who send the spam generating the
> bounces.
>
> Stephen Gill helped out by pointing me towards the malware and the
C&Cs
> and domain names connected to this.
>
> On Thu, 19 Jun 2008, Stephen Gill wrote:
>
> > The biggest thing in common I see amongst your Ips is the fact that
they are
> > reaching out to this C&C on TCP 80 and TCP 443:
> >
> > 26780 | 208.72.169.189 | MCCOLO - McColo Corporation
> (...)
>
> I tested most of the malware Steve provided. Some C&Cs were offline,
> many behaved very similar to what Steve ponted out:
>
> > Looking at our heuristics for the most recent malware sample in the
list I
> > see this:
> >
> > FLOWs
> >
> > timestamp src ip:port dst ip:port proto size
> > 2008-06-17 00:41:59 192.168.1.1:2631 206.51.236.94:25 6
0 B
> > 2008-06-17 00:41:59 192.168.1.1:2632 208.72.169.189:80 6
0 B
> > 2008-06-17 00:41:59 192.168.1.1:2630 208.72.169.189:80 6
118
> > B
> > 2008-06-17 00:41:59 192.168.1.1:2628 195.93.218.28:80 6
86
> > KB
> > 2008-06-17 00:41:59 192.168.1.1:2627 195.93.218.28:80 6
> > 23.89 KB
> (...)
>
> 206.51.236.94 is found by asking for MX of catcherinvest.com. It seems
to
> be a mailserver and the malware I looked at did all exactly this
(local IP
> and hostname masked):
>
> 220 msn.com ESMTP dreefJom
> HELO localhost
> 250 msn.com(88) Hello xxxx.xxxx.xxxxxxxxx.de [10.10.10.10]
> MAIL FROM: host
> 250 Ok
> RCPT TO: host at abc.tld
> 250 Accepted
> DATA
> 354 Enter message, ending with "." on a line by itself
> helo
> test
> letter
> .
> 250 OK id=f525ed83c29d7c47131687f62205b495
> QUIT
> 221 msn.com
>
> This is certainly not MSN, the mailserver answers with '250 OK' on
empty
> FROM and other malformed input, the id is probably a md5 hash of the
data
> section.
>
> In order to spare the world more spam, Klaus and I built a spamtrap
with
> a postfix which accepts everything but only puts it in the hold queue
and
> iptables redirection. This works perfectly for the spam pumped out,
but
> not for this pseudo-smtp session at the beginning. The malware uses
> different routines to do this it seems. And if I don't let it talk to
the
> real machine (206.51.236.94) the malware will not become active and
start
> to spam 20 minutes later.
>
> Therefore, I assume that this is a modified mail software with the
sole
> purpose to count bots.
>
> The hoster and its provider (AS 29802) share the same postbox ->
>
> OrgName: NOC4Hosts Inc.
> OrgID: NOC4H
> Address: 400 N Tampa St
> Address: #1025
> City: Tampa
> StateProv: FL
> PostalCode: 33602
> Country: US
>
> AS29802
>
> OrgName: HIVELOCITY VENTURES CORP
> OrgID: HVC-3
> Address: 400 N Tampa St
> Address: #1025
> City: Tampa
> StateProv: FL
> PostalCode: 33602
> Country: US
>
> Searching for NOC4Hosts and RBN gives quite a few hits. Any chance of
> getting at this - as it seems malicious - provider ?
>
> The host 208.72.169.189 (galileoboots.info) and also 208.72.169.101
> (both at McColo Corporation) are talked to on port 80 by the malware.
> Though, this is not HTTP. Every 40 seconds data is exchanged. It seems
> to be used as a keep alive and also to transfer new commands. These
> are transitted after around 20 minutes runtime of the malware.
>
> An example for the protocoll can be seen in the anubis analysis of
> one of the malware pieces (section 1: unknown tcp traffic).
>
>
http://analysis.seclab.tuwien.ac.at/result.php?taskid=4e1c96d50ff6549425
f69fffbf74fbd8
>
> Depending on the piece of malware, more software is downloaded using
> realt http this time. In one case from 204.72.168.215 (also in the
US).
>
> There is also https communication with 67.198.203.242 (almbarcoz.info)
> which I unfortunately could not look at - the sebek client I used did
> not protocoll all content.
>
> Cap-files, more details etc. available upon request.
>
>
> Sorry - for the long mail. My questions:
>
> Had anyone contact with these IPs running the botnet?
>
> 206.51.236.94 mail2.catcherinvest.com / pseudo smtp - NOC4Hosts
> 208.72.169.189 galileoboots.info / McColo
> 208.72.169.101 / McColo
> 204.72.168.215 / Triticom
> 67.198.203.242 almbarcoz.info / KRYPT
>
> I could not find them in previous mails and not in the RR.
>
> NOC4hosts seems malicious to me. Anybody had contact or handled a
> similar case?
>
> Regards,
> andreas-b, as 680 (German research network)
> -----BEGIN PGP SIGNATURE-----
>
> iQEVAwUBSGzs1ygU04YpslABAQEBeQf8D6PWaubttRGjnLGdvv1P5S3N5LVtomFi
> 5HiiEmRWZHajdl9noMiaocA2FLoEX6AkIofCcot6F7SvSDmBvtb7lglSKwFreF6Y
> T0kg51Vel7d62+YVtd7q2FZUv1yXQXXOV1hiKhCsbixDgO5VylhY29rO6pdksJmd
> ddB3ug4l7uvO81QdS+HCSnd8pO887HnPhm6Kll5hGetF+Un9+zWzcW98NRhqWeIp
> YpSuoUvKLpFM2zxIryBW9HF1Gl6G1hhRICvOYYLmkXebiKkaXv8WfNtnRRHc63DV
> zsixLsdLn/L9co1K8tMUBJu2c6RHwzptMc7byYHykefVIErZbA6XDA==
> =Sgsx
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list