[nsp-sec] 1Million Botnet Ips

Lawrence Baldwin baldwinl at mynetwatchman.com
Sat Jul 5 11:14:20 EDT 2008 

How can the "count of infected IPs" be > 1 within a /32?

e.g:
   2 | 63.149.54.129/32   | 2008-06-20 01:44:34+02 |   209 | US          |
ASN-QWEST - Qwest

Lawrence Baldwin
Chief Forensics Officer/
Cybercrime Investigator
myNetWatchman.com
Alpharetta, GA
+1.678.624.0924

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Stephen Gill
Sent: Friday, July 04, 2008 13:02
To: nsp-security NSP
Subject: [nsp-sec] 1Million Botnet Ips

----------- nsp-security Confidential --------

Hi Team,

Cert.at has assembled an excellent report on the nadnadzzz.info botnet along
with a large list of compromised IPs!  They have put together an analysis
summary and individual report files of compromised hosts sorted by ASN at
the following location:

    http://www.cert.at/static/xi3shiZiexu/ips_by_AS/
    username: nadnadzzz
    pass: letmein

Please do not share this URL outside of the nsp-sec community.  If you can
proxy for an entire country, you may be interested in perusing the cctld
files here:

    http://www.cert.at/static/xi3shiZiexu/ips_$CC.csv
    username: nadnadzzz
    pass: letmein
    * Where $CC is your ccTLD country code in capital letters (e.g. "MX")

The report, not for redistribution can be found here:

    http://www.cert.at/static/xi3shiZiexu/botnetpaper2.pdf

Finally, here is a brief summary from their team:

> nadnadzzz.info botnet analysis
> ==============================
>
> CERT.at has been analysing the nadnadzzz.info botnet. We were able to 
> track the botnet and extract a list of affected IP addresses.
> It contains around 950,000 different IPs.
> While the list is probably not exhaustive and while we expect further 
> C&C servers, we want to share this info with concerned parties from 
> ns-psec and the wider CERT community.

> C&C servers
> ----------------------
> 67.43.232.36/32 - seems to be down or blocks us as of 2008/06/30
> 211.95.79.151/32 - seems to be down or blocks us as of 2008/06/30
> 211.95.79.165/32 - seems to be down or blocks us as of 2008/06/30
> 220.196.42.156/32 - seems to be down or blocks us as of 2008/06/30
> 61.174.17.90/32  - alive as of 2008/06/30
> 61.174.17.89/32  - alive as of 2008/07/03 17:00    UTC+02
>
> Protocol: IRC
> Port: 7000
>
>
> 5 most affected countries:
>  cnt_ips | countrycode
>     ---------+-------------
>  254660 | MX
>  202109 | BR
>   52377  | CL
>   50078  | IN
>   43725  | PL
>
>
> We would appreciate feedback at team at cert.at

Enjoy, and have a Happy 4th of July ;D.

Cheers,
Steve, Team Cymru.

--
Stephen Gill, Chief Scientist, Team Cymru http://www.cymru.com | +1 312 924
4023 | gillsr at cymru.com




_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list