[nsp-sec] 1Million Botnet Ips

Taka Mizuguchi taka at nttv6.jp
Mon Jul 7 07:55:00 EDT 2008 

ACK for japanese ASNs.

On Fri, 04 Jul 2008 10:01:32 -0700
Stephen Gill <gillsr at cymru.com> wrote:

> ----------- nsp-security Confidential --------
> 
> Hi Team,
> 
> Cert.at has assembled an excellent report on the nadnadzzz.info botnet along
> with a large list of compromised IPs!  They have put together an analysis
> summary and individual report files of compromised hosts sorted by ASN at
> the following location:
> 
>     http://www.cert.at/static/xi3shiZiexu/ips_by_AS/
>     username: nadnadzzz
>     pass: letmein
> 
> Please do not share this URL outside of the nsp-sec community.  If you can
> proxy for an entire country, you may be interested in perusing the cctld
> files here:
> 
>     http://www.cert.at/static/xi3shiZiexu/ips_$CC.csv
>     username: nadnadzzz
>     pass: letmein
>     * Where $CC is your ccTLD country code in capital letters (e.g. "MX")
> 
> The report, not for redistribution can be found here:
> 
>     http://www.cert.at/static/xi3shiZiexu/botnetpaper2.pdf
> 
> Finally, here is a brief summary from their team:
> 
> > nadnadzzz.info botnet analysis
> > ==============================
> >
> > CERT.at has been analysing the nadnadzzz.info botnet. We were able to track
> > the botnet and extract a list of affected IP addresses.
> > It contains around 950,000 different IPs.
> > While the list is probably not exhaustive and while we expect further C&C
> > servers, we want to share this info with concerned parties from ns-psec and
> > the wider CERT community.
> 
> > C&C servers
> > ----------------------
> > 67.43.232.36/32 - seems to be down or blocks us as of 2008/06/30
> > 211.95.79.151/32 - seems to be down or blocks us as of 2008/06/30
> > 211.95.79.165/32 - seems to be down or blocks us as of 2008/06/30
> > 220.196.42.156/32 - seems to be down or blocks us as of 2008/06/30
> > 61.174.17.90/32  - alive as of 2008/06/30
> > 61.174.17.89/32  - alive as of 2008/07/03 17:00    UTC+02
> >
> > Protocol: IRC
> > Port: 7000
> >
> >
> > 5 most affected countries:
> >  cnt_ips | countrycode
> >     ---------+-------------
> >  254660 | MX
> >  202109 | BR
> >   52377  | CL
> >   50078  | IN
> >   43725  | PL
> >
> >
> > We would appreciate feedback at team at cert.at
> 
> Enjoy, and have a Happy 4th of July ;D.
> 
> Cheers,
> Steve, Team Cymru.
> 
> -- 
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-- 
Taka Mizuguchi <taka at nttv6.jp>

More information about the nsp-security mailing list