[nsp-sec] 1Million Botnet Ips

Barry Raveendran Greene bgreene at senki.org
Sat Jul 5 13:54:51 EDT 2008 

Do we have anything that effectively cleans it?

 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Stephen Gill
> Sent: Friday, July 04, 2008 10:02 AM
> To: nsp-security NSP
> Subject: [nsp-sec] 1Million Botnet Ips
> 
> ----------- nsp-security Confidential --------
> 
> Hi Team,
> 
> Cert.at has assembled an excellent report on the 
> nadnadzzz.info botnet along with a large list of compromised 
> IPs!  They have put together an analysis summary and 
> individual report files of compromised hosts sorted by ASN at 
> the following location:
> 
>     http://www.cert.at/static/xi3shiZiexu/ips_by_AS/
>     username: nadnadzzz
>     pass: letmein
> 
> Please do not share this URL outside of the nsp-sec 
> community.  If you can proxy for an entire country, you may 
> be interested in perusing the cctld files here:
> 
>     http://www.cert.at/static/xi3shiZiexu/ips_$CC.csv
>     username: nadnadzzz
>     pass: letmein
>     * Where $CC is your ccTLD country code in capital letters 
> (e.g. "MX")
> 
> The report, not for redistribution can be found here:
> 
>     http://www.cert.at/static/xi3shiZiexu/botnetpaper2.pdf
> 
> Finally, here is a brief summary from their team:
> 
> > nadnadzzz.info botnet analysis
> > ==============================
> >
> > CERT.at has been analysing the nadnadzzz.info botnet. We 
> were able to 
> > track the botnet and extract a list of affected IP addresses.
> > It contains around 950,000 different IPs.
> > While the list is probably not exhaustive and while we 
> expect further 
> > C&C servers, we want to share this info with concerned parties from 
> > ns-psec and the wider CERT community.
> 
> > C&C servers
> > ----------------------
> > 67.43.232.36/32 - seems to be down or blocks us as of 2008/06/30
> > 211.95.79.151/32 - seems to be down or blocks us as of 2008/06/30
> > 211.95.79.165/32 - seems to be down or blocks us as of 2008/06/30
> > 220.196.42.156/32 - seems to be down or blocks us as of 2008/06/30
> > 61.174.17.90/32  - alive as of 2008/06/30
> > 61.174.17.89/32  - alive as of 2008/07/03 17:00    UTC+02
> >
> > Protocol: IRC
> > Port: 7000
> >
> >
> > 5 most affected countries:
> >  cnt_ips | countrycode
> >     ---------+-------------
> >  254660 | MX
> >  202109 | BR
> >   52377  | CL
> >   50078  | IN
> >   43725  | PL
> >
> >
> > We would appreciate feedback at team at cert.at
> 
> Enjoy, and have a Happy 4th of July ;D.
> 
> Cheers,
> Steve, Team Cymru.
> 
> --
> Stephen Gill, Chief Scientist, Team Cymru 
> http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list