[nsp-sec] [SPAM] RE: 1Million Botnet Ips

Sat Jul 5 14:01:46 EDT 2008

IMHO once a system is owned, there is no limit on the number of
possibilities of things that can be installed afterwards.  While you might
clean the initial infection malware you will likely be missing a whole lot
more unless you wipe the slate clean.  IE you might get the guy that broke
the lock, but you won't necessarily find all the buddies he let in after he
set up shop.  I know we've seen at least 10 major variants of this with MANY
individual samples inter-related.  Finding one tool that cleans it all seems
like quite a feat to accomplish.

All that said, the cert.at team might have some more insight in the specific
case of nadz*. 

-- steve

On 7/5/08 10:54 AM, "Barry Raveendran Greene" <bgreene at senki.org> wrote:

> 
> Do we have anything that effectively cleans it?
> 
>  
> 
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Stephen Gill
>> Sent: Friday, July 04, 2008 10:02 AM
>> To: nsp-security NSP
>> Subject: [nsp-sec] 1Million Botnet Ips
>> 
>> ----------- nsp-security Confidential --------
>> 
>> Hi Team,
>> 
>> Cert.at has assembled an excellent report on the
>> nadnadzzz.info botnet along with a large list of compromised
>> IPs!  They have put together an analysis summary and
>> individual report files of compromised hosts sorted by ASN at
>> the following location:
>> 
>>     http://www.cert.at/static/xi3shiZiexu/ips_by_AS/
>>     username: nadnadzzz
>>     pass: letmein
>> 
>> Please do not share this URL outside of the nsp-sec
>> community.  If you can proxy for an entire country, you may
>> be interested in perusing the cctld files here:
>> 
>>     http://www.cert.at/static/xi3shiZiexu/ips_$CC.csv
>>     username: nadnadzzz
>>     pass: letmein
>>     * Where $CC is your ccTLD country code in capital letters
>> (e.g. "MX")
>> 
>> The report, not for redistribution can be found here:
>> 
>>     http://www.cert.at/static/xi3shiZiexu/botnetpaper2.pdf
>> 
>> Finally, here is a brief summary from their team:
>> 
>>> nadnadzzz.info botnet analysis
>>> ==============================
>>> 
>>> CERT.at has been analysing the nadnadzzz.info botnet. We
>> were able to 
>>> track the botnet and extract a list of affected IP addresses.
>>> It contains around 950,000 different IPs.
>>> While the list is probably not exhaustive and while we
>> expect further 
>>> C&C servers, we want to share this info with concerned parties from
>>> ns-psec and the wider CERT community.
>> 
>>> C&C servers
>>> ----------------------
>>> 67.43.232.36/32 - seems to be down or blocks us as of 2008/06/30
>>> 211.95.79.151/32 - seems to be down or blocks us as of 2008/06/30
>>> 211.95.79.165/32 - seems to be down or blocks us as of 2008/06/30
>>> 220.196.42.156/32 - seems to be down or blocks us as of 2008/06/30
>>> 61.174.17.90/32  - alive as of 2008/06/30
>>> 61.174.17.89/32  - alive as of 2008/07/03 17:00    UTC+02
>>> 
>>> Protocol: IRC
>>> Port: 7000
>>> 
>>> 
>>> 5 most affected countries:
>>>  cnt_ips | countrycode
>>>     ---------+-------------
>>>  254660 | MX
>>>  202109 | BR
>>>   52377  | CL
>>>   50078  | IN
>>>   43725  | PL
>>> 
>>> 
>>> We would appreciate feedback at team at cert.at
>> 
>> Enjoy, and have a Happy 4th of July ;D.
>> 
>> Cheers,
>> Steve, Team Cymru.
>> 
>> --
>> Stephen Gill, Chief Scientist, Team Cymru
>> http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
>> 
>> 
>> 
>> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>> 

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com