[nsp-sec] 1Million Botnet Ips
Yiming Gong
yiming.gong at xo.com
Mon Jul 7 10:39:20 EDT 2008
Ack 2828
And one of these XO IPs (216.99.240.221) is being marked as beagle
infected host by Team cymru's data.
207.155.216.67
208.176.88.171
216.1.176.121
216.99.240.221
67.88.136.34
67.91.109.138
67.91.13.133
67.94.160.100
Thanks!
Yiming
Stephen Gill wrote:
> ----------- nsp-security Confidential --------
>
> Hi Team,
>
> Cert.at has assembled an excellent report on the nadnadzzz.info botnet along
> with a large list of compromised IPs! They have put together an analysis
> summary and individual report files of compromised hosts sorted by ASN at
> the following location:
>
> http://www.cert.at/static/xi3shiZiexu/ips_by_AS/
> username: nadnadzzz
> pass: letmein
>
> Please do not share this URL outside of the nsp-sec community. If you can
> proxy for an entire country, you may be interested in perusing the cctld
> files here:
>
> http://www.cert.at/static/xi3shiZiexu/ips_$CC.csv
> username: nadnadzzz
> pass: letmein
> * Where $CC is your ccTLD country code in capital letters (e.g. "MX")
>
> The report, not for redistribution can be found here:
>
> http://www.cert.at/static/xi3shiZiexu/botnetpaper2.pdf
>
> Finally, here is a brief summary from their team:
>
>
>> nadnadzzz.info botnet analysis
>> ==============================
>>
>> CERT.at has been analysing the nadnadzzz.info botnet. We were able to track
>> the botnet and extract a list of affected IP addresses.
>> It contains around 950,000 different IPs.
>> While the list is probably not exhaustive and while we expect further C&C
>> servers, we want to share this info with concerned parties from ns-psec and
>> the wider CERT community.
>>
>
>
>> C&C servers
>> ----------------------
>> 67.43.232.36/32 - seems to be down or blocks us as of 2008/06/30
>> 211.95.79.151/32 - seems to be down or blocks us as of 2008/06/30
>> 211.95.79.165/32 - seems to be down or blocks us as of 2008/06/30
>> 220.196.42.156/32 - seems to be down or blocks us as of 2008/06/30
>> 61.174.17.90/32 - alive as of 2008/06/30
>> 61.174.17.89/32 - alive as of 2008/07/03 17:00 UTC+02
>>
>> Protocol: IRC
>> Port: 7000
>>
>>
>> 5 most affected countries:
>> cnt_ips | countrycode
>> ---------+-------------
>> 254660 | MX
>> 202109 | BR
>> 52377 | CL
>> 50078 | IN
>> 43725 | PL
>>
>>
>> We would appreciate feedback at team at cert.at
>>
>
> Enjoy, and have a Happy 4th of July ;D.
>
> Cheers,
> Steve, Team Cymru.
>
>
More information about the nsp-security
mailing list