[nsp-sec] 1Million Botnet Ips
Stephen Gill
gillsr at cymru.com
Sat Jul 5 11:53:47 EDT 2008
That's a great question that I don't know the answer to. I would suggest
you might want to hit them up at the e-mail alias they sent at the bottom
for follow-ups. They may expect the question to come from Qwest though :).
Cheers,
-- steve
On 7/5/08 8:14 AM, "Lawrence Baldwin" <baldwinl at mynetwatchman.com> wrote:
> ----------- nsp-security Confidential --------
>
> How can the "count of infected IPs" be > 1 within a /32?
>
> e.g:
> 2 | 63.149.54.129/32 | 2008-06-20 01:44:34+02 | 209 | US |
> ASN-QWEST - Qwest
>
> Lawrence Baldwin
> Chief Forensics Officer/
> Cybercrime Investigator
> myNetWatchman.com
> Alpharetta, GA
> +1.678.624.0924
>
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Stephen Gill
> Sent: Friday, July 04, 2008 13:02
> To: nsp-security NSP
> Subject: [nsp-sec] 1Million Botnet Ips
>
> ----------- nsp-security Confidential --------
>
> Hi Team,
>
> Cert.at has assembled an excellent report on the nadnadzzz.info botnet along
> with a large list of compromised IPs! They have put together an analysis
> summary and individual report files of compromised hosts sorted by ASN at
> the following location:
>
> http://www.cert.at/static/xi3shiZiexu/ips_by_AS/
> username: nadnadzzz
> pass: letmein
>
> Please do not share this URL outside of the nsp-sec community. If you can
> proxy for an entire country, you may be interested in perusing the cctld
> files here:
>
> http://www.cert.at/static/xi3shiZiexu/ips_$CC.csv
> username: nadnadzzz
> pass: letmein
> * Where $CC is your ccTLD country code in capital letters (e.g. "MX")
>
> The report, not for redistribution can be found here:
>
> http://www.cert.at/static/xi3shiZiexu/botnetpaper2.pdf
>
> Finally, here is a brief summary from their team:
>
>> nadnadzzz.info botnet analysis
>> ==============================
>>
>> CERT.at has been analysing the nadnadzzz.info botnet. We were able to
>> track the botnet and extract a list of affected IP addresses.
>> It contains around 950,000 different IPs.
>> While the list is probably not exhaustive and while we expect further
>> C&C servers, we want to share this info with concerned parties from
>> ns-psec and the wider CERT community.
>
>> C&C servers
>> ----------------------
>> 67.43.232.36/32 - seems to be down or blocks us as of 2008/06/30
>> 211.95.79.151/32 - seems to be down or blocks us as of 2008/06/30
>> 211.95.79.165/32 - seems to be down or blocks us as of 2008/06/30
>> 220.196.42.156/32 - seems to be down or blocks us as of 2008/06/30
>> 61.174.17.90/32 - alive as of 2008/06/30
>> 61.174.17.89/32 - alive as of 2008/07/03 17:00 UTC+02
>>
>> Protocol: IRC
>> Port: 7000
>>
>>
>> 5 most affected countries:
>> cnt_ips | countrycode
>> ---------+-------------
>> 254660 | MX
>> 202109 | BR
>> 52377 | CL
>> 50078 | IN
>> 43725 | PL
>>
>>
>> We would appreciate feedback at team at cert.at
>
> Enjoy, and have a Happy 4th of July ;D.
>
> Cheers,
> Steve, Team Cymru.
>
> --
> Stephen Gill, Chief Scientist, Team Cymru http://www.cymru.com | +1 312 924
> 4023 | gillsr at cymru.com
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list