[nsp-sec] 1Million Botnet Ips

Smith, Donald Donald.Smith at qwest.com
Mon Jul 7 17:34:25 EDT 2008 


Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Lawrence Baldwin
> Sent: Saturday, July 05, 2008 9:14 AM
> To: 'nsp-security NSP'
> Subject: Re: [nsp-sec] 1Million Botnet Ips
> 
> ----------- nsp-security Confidential --------
> 
> How can the "count of infected IPs" be > 1 within a /32?
> 
> e.g:
>    2 | 63.149.54.129/32   | 2008-06-20 01:44:34+02 |   209 | 
> US          |
> ASN-QWEST - Qwest

There are a lot of duplicates in there.
Given the time stamp that may make sense.
However I had some that were reported over a 100 times in that report
excluding the count field.
I had 1588 entries with a count of 1 and 205 with a count of 2 so it is
not clear to me what the count field is for??


> 
> Lawrence Baldwin
> Chief Forensics Officer/
> Cybercrime Investigator
> myNetWatchman.com
> Alpharetta, GA
> +1.678.624.0924
> 
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Stephen Gill
> Sent: Friday, July 04, 2008 13:02
> To: nsp-security NSP
> Subject: [nsp-sec] 1Million Botnet Ips
> 
> ----------- nsp-security Confidential --------
> 
> Hi Team,
> 
> Cert.at has assembled an excellent report on the 
> nadnadzzz.info botnet along
> with a large list of compromised IPs!  They have put together 
> an analysis
> summary and individual report files of compromised hosts 
> sorted by ASN at
> the following location:
> 
>     http://www.cert.at/static/xi3shiZiexu/ips_by_AS/
>     username: nadnadzzz
>     pass: letmein
> 
> Please do not share this URL outside of the nsp-sec 
> community.  If you can
> proxy for an entire country, you may be interested in 
> perusing the cctld
> files here:
> 
>     http://www.cert.at/static/xi3shiZiexu/ips_$CC.csv
>     username: nadnadzzz
>     pass: letmein
>     * Where $CC is your ccTLD country code in capital letters 
> (e.g. "MX")
> 
> The report, not for redistribution can be found here:
> 
>     http://www.cert.at/static/xi3shiZiexu/botnetpaper2.pdf
> 
> Finally, here is a brief summary from their team:
> 
> > nadnadzzz.info botnet analysis
> > ==============================
> >
> > CERT.at has been analysing the nadnadzzz.info botnet. We 
> were able to 
> > track the botnet and extract a list of affected IP addresses.
> > It contains around 950,000 different IPs.
> > While the list is probably not exhaustive and while we 
> expect further 
> > C&C servers, we want to share this info with concerned parties from 
> > ns-psec and the wider CERT community.
> 
> > C&C servers
> > ----------------------
> > 67.43.232.36/32 - seems to be down or blocks us as of 2008/06/30
> > 211.95.79.151/32 - seems to be down or blocks us as of 2008/06/30
> > 211.95.79.165/32 - seems to be down or blocks us as of 2008/06/30
> > 220.196.42.156/32 - seems to be down or blocks us as of 2008/06/30
> > 61.174.17.90/32  - alive as of 2008/06/30
> > 61.174.17.89/32  - alive as of 2008/07/03 17:00    UTC+02
> >
> > Protocol: IRC
> > Port: 7000
> >
> >
> > 5 most affected countries:
> >  cnt_ips | countrycode
> >     ---------+-------------
> >  254660 | MX
> >  202109 | BR
> >   52377  | CL
> >   50078  | IN
> >   43725  | PL
> >
> >
> > We would appreciate feedback at team at cert.at
> 
> Enjoy, and have a Happy 4th of July ;D.
> 
> Cheers,
> Steve, Team Cymru.
> 
> --
> Stephen Gill, Chief Scientist, Team Cymru 
> http://www.cymru.com | +1 312 924
> 4023 | gillsr at cymru.com
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security
> counter-measures.
> _______________________________________________
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list