[nsp-sec] [SPAM] RE: 1Million Botnet Ips

Yonglin ZHOU yonglin.zhou at gmail.com
Sun Jul 6 23:07:33 EDT 2008 

Same problems we meet.

When we provide bot-infected IP list to ISPs, they ask for effective clean
tools. They said the end user usually have not ability to completely clean
the computer by thmeselves thought they know it is compromised.

We don't have good solution.

YL.

On 7/6/08, Stephen Gill <gillsr at cymru.com> wrote:
>
> ----------- nsp-security Confidential --------
>
> IMHO once a system is owned, there is no limit on the number of
> possibilities of things that can be installed afterwards.  While you might
> clean the initial infection malware you will likely be missing a whole lot
> more unless you wipe the slate clean.  IE you might get the guy that broke
> the lock, but you won't necessarily find all the buddies he let in after he
> set up shop.  I know we've seen at least 10 major variants of this with
> MANY
> individual samples inter-related.  Finding one tool that cleans it all
> seems
> like quite a feat to accomplish.
>
> All that said, the cert.at team might have some more insight in the
> specific
> case of nadz*.
>
> -- steve
>
>
> On 7/5/08 10:54 AM, "Barry Raveendran Greene" <bgreene at senki.org> wrote:
>
> >
> > Do we have anything that effectively cleans it?
> >
> >
> >
> >> -----Original Message-----
> >> From: nsp-security-bounces at puck.nether.net
> >> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> >> Stephen Gill
> >> Sent: Friday, July 04, 2008 10:02 AM
> >> To: nsp-security NSP
> >> Subject: [nsp-sec] 1Million Botnet Ips
> >>
> >> ----------- nsp-security Confidential --------
> >>
> >> Hi Team,
> >>
> >> Cert.at has assembled an excellent report on the
> >> nadnadzzz.info botnet along with a large list of compromised
> >> IPs!  They have put together an analysis summary and
> >> individual report files of compromised hosts sorted by ASN at
> >> the following location:
> >>
> >>     http://www.cert.at/static/xi3shiZiexu/ips_by_AS/
> >>     username: nadnadzzz
> >>     pass: letmein
> >>
> >> Please do not share this URL outside of the nsp-sec
> >> community.  If you can proxy for an entire country, you may
> >> be interested in perusing the cctld files here:
> >>
> >>     http://www.cert.at/static/xi3shiZiexu/ips_$CC.csv
> >>     username: nadnadzzz
> >>     pass: letmein
> >>     * Where $CC is your ccTLD country code in capital letters
> >> (e.g. "MX")
> >>
> >> The report, not for redistribution can be found here:
> >>
> >>     http://www.cert.at/static/xi3shiZiexu/botnetpaper2.pdf
> >>
> >> Finally, here is a brief summary from their team:
> >>
> >>> nadnadzzz.info botnet analysis
> >>> ==============================
> >>>
> >>> CERT.at has been analysing the nadnadzzz.info botnet. We
> >> were able to
> >>> track the botnet and extract a list of affected IP addresses.
> >>> It contains around 950,000 different IPs.
> >>> While the list is probably not exhaustive and while we
> >> expect further
> >>> C&C servers, we want to share this info with concerned parties from
> >>> ns-psec and the wider CERT community.
> >>
> >>> C&C servers
> >>> ----------------------
> >>> 67.43.232.36/32 - seems to be down or blocks us as of 2008/06/30
> >>> 211.95.79.151/32 - seems to be down or blocks us as of 2008/06/30
> >>> 211.95.79.165/32 - seems to be down or blocks us as of 2008/06/30
> >>> 220.196.42.156/32 - seems to be down or blocks us as of 2008/06/30
> >>> 61.174.17.90/32  - alive as of 2008/06/30
> >>> 61.174.17.89/32  - alive as of 2008/07/03 17:00    UTC+02
> >>>
> >>> Protocol: IRC
> >>> Port: 7000
> >>>
> >>>
> >>> 5 most affected countries:
> >>>  cnt_ips | countrycode
> >>>     ---------+-------------
> >>>  254660 | MX
> >>>  202109 | BR
> >>>   52377  | CL
> >>>   50078  | IN
> >>>   43725  | PL
> >>>
> >>>
> >>> We would appreciate feedback at team at cert.at
> >>
> >> Enjoy, and have a Happy 4th of July ;D.
> >>
> >> Cheers,
> >> Steve, Team Cymru.
> >>
> >> --
> >> Stephen Gill, Chief Scientist, Team Cymru
> >> http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> nsp-security mailing list
> >> nsp-security at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/nsp-security
> >>
> >> Please do not Forward, CC, or BCC this E-mail outside of the
> >> nsp-security
> >> community. Confidentiality is essential for effective
> >> Internet security counter-measures.
> >> _______________________________________________
> >>
>
>
> --
>
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>



-- 
-------[CNCERT/CC]-----------------------------------------------
Zhou, Yonglin              【周勇林】
CNCERT/CC, P.R.China       【国家计算机网络应急技术处理协调中心】
Tel: +86 10 82990355  Fax: +86 10 82990399  Web: www.cert.org.cn
Finger Print: 9AF3 E830 A350 218D BD2C  2B65 6F60 BEFB 3962 1C64
-----------------------------------------------[CNCERT/CC]-------

More information about the nsp-security mailing list