[nsp-sec] 1Million Botnet Ips

Juan Carlos Guel Lopez cguel at seguridad.unam.mx
Fri Jul 11 01:23:39 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----


Hi list,

We've been working with mexican ISP's and notified most of them.

UNAM-CERT  notified the next ASN's and the number of IP's reported on the
list at Cert.at

- --------------

 ASN	| Nombre	| Numero de incidentes con ips	| No ips infectadas
 8151	|  Uninet S.A. de C.V.	| 1835953 | 196215
 13999	|  MegaCable SA de CV	| 139463 | 20958
 6332	|  Telefonos del Noroeste S.A. de	| 95759 | 6754
 11172	|  Alestra	| 39001 | 2897
 11888	|  Television Internacional S.A.	| 29346 | 1023
 6503	|  Avantel, S.A.	| 27173 | 4079
 14000	|  AXTEL, S.A. de C.V.	| 25585 | 3777
 16960	|  Cablevision Red S.A. de C.V.	| 18559 | 1749
 22773	| CCINET-2 - Cox Communications Inc.| 14156      | 1758
 22566	|  MAXCOM Telecomunicaciones SA d	| 11889 | 288
 2549	|  Universidad de Guadalajara	| 4887 | 250
 27672	|  Tele Cable Centro Occidente S.	| 4298 | 714
 18734	|  BESTEL S.A. de C.V.	| 3825 | 270
 19332	|  Marcatel	| 2923 | 72
 16531	|  Operadora Protel S.A. de C.V.	| 1713 | 19
 10706	|  Gemtel, S.A. de C.V.	| 1344 | 62
 14178	|  MEGACABLE COMUNICACIONES DE ME	| 1111 | 132
 27673	|  Instituto Nacional de Estadist	| 905 | 2
 22908	|  Sixsigma Networks Mexico	| 860 | 7
 10436	|  ITESM - Rectoria Zona Sur	| 782 | 134
 18592	|  CUDI	| 746 | 43
 2904	|  Universidad Autonoma de Cd. Ju	| 607 | 100
 22882	|  Cemex Mexico	| 460 | 1
 21603	|  Universidad La Salle, AC	| 366 | 21
 13579	|  INFOTEC-CONACYT Fideicomiso	| 364 | 7
 7125	|  Universidad de Monterrey	| 348 | 9
 7438	|  Telef_nica Data M_xico SA de C	| 315 | 16
 2708	|  Universidad de Guanajuato	| 270 | 28
 7184	|  Universidad Veracruzana	| 187 | 10
 4493	|  Universidad de Sonora	| 151 | 40


Saludos
- --JC GUEL

On Fri, 4 Jul 2008, Stephen Gill wrote:

> ----------- nsp-security Confidential --------
>
> Hi Team,
>
> Cert.at has assembled an excellent report on the nadnadzzz.info botnet along
> with a large list of compromised IPs!  They have put together an analysis
> summary and individual report files of compromised hosts sorted by ASN at
> the following location:
>
>     http://www.cert.at/static/xi3shiZiexu/ips_by_AS/
>     username: nadnadzzz
>     pass: letmein
>
> Please do not share this URL outside of the nsp-sec community.  If you can
> proxy for an entire country, you may be interested in perusing the cctld
> files here:
>
>     http://www.cert.at/static/xi3shiZiexu/ips_$CC.csv
>     username: nadnadzzz
>     pass: letmein
>     * Where $CC is your ccTLD country code in capital letters (e.g. "MX")
>
> The report, not for redistribution can be found here:
>
>     http://www.cert.at/static/xi3shiZiexu/botnetpaper2.pdf
>
> Finally, here is a brief summary from their team:
>
> > nadnadzzz.info botnet analysis
> > ==============================
> >
> > CERT.at has been analysing the nadnadzzz.info botnet. We were able to track
> > the botnet and extract a list of affected IP addresses.
> > It contains around 950,000 different IPs.
> > While the list is probably not exhaustive and while we expect further C&C
> > servers, we want to share this info with concerned parties from ns-psec and
> > the wider CERT community.
>
> > C&C servers
> > ----------------------
> > 67.43.232.36/32 - seems to be down or blocks us as of 2008/06/30
> > 211.95.79.151/32 - seems to be down or blocks us as of 2008/06/30
> > 211.95.79.165/32 - seems to be down or blocks us as of 2008/06/30
> > 220.196.42.156/32 - seems to be down or blocks us as of 2008/06/30
> > 61.174.17.90/32  - alive as of 2008/06/30
> > 61.174.17.89/32  - alive as of 2008/07/03 17:00    UTC+02
> >
> > Protocol: IRC
> > Port: 7000
> >
> >
> > 5 most affected countries:
> >  cnt_ips | countrycode
> >     ---------+-------------
> >  254660 | MX
> >  202109 | BR
> >   52377  | CL
> >   50078  | IN
> >   43725  | PL
> >
> >
> > We would appreciate feedback at team at cert.at
>
> Enjoy, and have a Happy 4th of July ;D.
>
> Cheers,
> Steve, Team Cymru.
>
> --
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQEVAwUBSHbuYJlW1rrzglhVAQFrgAgAl2vIWvOPBNCGCn8Vt+Am0bwlJXfKox/S
9sCyu5vqfysss8qUZI9nG01nxLnoTn9vDzeRzRCm0Sl8dB9g/qDZ81pebByOC7T9
L2Ru9q0z8nkC2+ny8ios+AGqBv5uOuPxbOJoayrk5mgZzyEPQS0mmxFy+dYeUtIZ
dxm9FfEemtbo+ZVNVhYhTks3iUp3PWGTS5QFCY4mZISZKQxqE6eMu39kpXmCK/+6
wwbIrwwNKqur4AJ8fXeIYq6hK+uvF0rORi5Yaumd3T4EquKj8u32tD+x5sYnw9AF
qEbzmxS0OrvXKM0wf4xlicl4RLPQ1Gnq6IAgSwjBQV1Xqr3KmVvCPQ==
=dESe
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list