[nsp-sec] Tsunami susp EXEs - Was Re: Tsunami - Was Re: "Simplebot" -- a basic HTTP ddos bot

Hillar Aarelaid hillar.aarelaid at cert.ee
Wed Jul 16 05:59:49 EDT 2008 

Please see ASN list attached below
link: https://asn.cymru.com/nsp-sec/upload/1216201852.whois.txt

Hillar

On Jul 15, 2008, at 7:56 PM, Stephen Gill wrote:

> Based on those, here's a list of likely suspect .EXEs they are  
> peddling.
>
> hxxp://121.125.68.121/Modules/J/Qqt6jfOXfjS6.exe
> hxxp://220.95.231.82/totals/6/calisysa.exe
> hxxp://cyimg8.cyworld.nate.com/cymusic/package/cyplayer_setup.exe
> hxxp://down.cleancop.co.kr/downbbs/cleancop_20070412_onmuz.exe
> hxxp://down.ieguide.co.kr/down/ieguide_071022_onmuz11.exe
> hxxp://down.onmuz.com/onmuz/update/file/ 
> onmuzplayer_20070929_update.exe
> hxxp://down.onmuz.com/onmuz/update/hide/OnMuzFresh_20080228_update.exe
> hxxp://down.onmuz.com/onmuz/update/support/cleancop_20070412_onmuz.exe
> hxxp://down.onmuz.com/onmuz/update/support/oklotto_20070120_onmuz.exe
> hxxp://down.patchup.co.kr/downbbs/PatchUp_onmuz.exe
> hxxp://down.savemoneyshop.com/downfile/savemoneyshop_onmuz.exe
> hxxp://down.tc-hacking.co.kr/downbbs/TC-Hacking_onmuz.exe
> hxxp://down.voneclick.com/lotto/downbbs/oklotto_20070420_onmuz.exe
> hxxp://down.widpia.com/Favorites/NewFavorites.exe
> hxxp://down.widpia.com/loansite/downbbs/internet_lending_onmuz.exe
> hxxp://down.widpia.com/unitoolbar/downfile/ 
> internet_lending_20070427.exe
> hxxp://down.you-ware.com/downbbs/Uware_ebizb01.exe
> hxxp://downfile.wawadisk.com/kpang_20071224_wawa4_silent.exe
> hxxp://downfile.wawadisk.com/oneguide2_20071223_silent.exe
> hxxp://downfile.wawadisk.com/oneguide_20071223_silent.exe
> hxxp://dw.happydayone.com/di/amod_brown.exe
> hxxp://kpang.com/kpangtoolbar/file/silent.exe
> hxxp://kpang.com/kpangtoolbar/file/uninstall_neonaby1.exe
> hxxp://ohohoh.co.kr/Test/test1.exe
> hxxp://ohohoh.co.kr/appinfo/fav2125/21/file/ 
> FavCounter_N21_20080327.exe
> hxxp://ohohoh.co.kr/appinfo/fav2125/25/file/ 
> FavCounter_N25_20080327.exe
> hxxp://ohohoh.co.kr/appinfo/sumupdate/sum1/file/ 
> SumUpdateOh1_20080328.exe
> hxxp://ohohoh.co.kr/file/alert_20080212.exe
> hxxp://ohohoh.co.kr/file/counter_go_searchtool_20080131.exe
> hxxp://ohohoh.co.kr/file/favit_nzell01.exe
> hxxp://ohohoh.co.kr/file/favit_nzell03.exe
> hxxp://ohohoh.co.kr/file/favit_nzell05.exe
> hxxp://ohohoh.co.kr/file/gopopup_20080328.exe
> hxxp://ohohoh.co.kr/file/nguide_20080327_up.exe
> hxxp://ohohoh.co.kr/file/nzell7_20080215.exe
> hxxp://ohohoh.co.kr/file/ohfavtotal_20080205.exe
> hxxp://ohohoh.co.kr/file/ohohpopup_20080319.exe
> hxxp://ohohoh.co.kr/file/searchtool_20080228_up.exe
> hxxp://ohohoh.co.kr/file/searchtool_20080327_up.exe
> hxxp://ohohoh.co.kr/file/showpopup_20080226.exe
> hxxp://ohohoh.co.kr/file/showpopup_20080303.exe
> hxxp://ohohoh.co.kr/file/winfc_nzell21_20080215.exe
> hxxp://ohohoh.co.kr/file/winfc_sheet2_rlagmlwls_20080201.exe
> hxxp://ohohoh.co.kr/file/winfc_sheet4_chdrhkf_20080201.exe
> hxxp://ohohoh.co.kr/file/winfc_sheet5_skarud_20080201.exe
> hxxp://ohohoh.co.kr/ohfavtotal/file/test.exe
> hxxp://ohohoh.co.kr/ohx2oh/file/winfc_ohoh_20080215.exe
> hxxp://ohohoh.co.kr/ohx2oh/oh1/file/ohx2oh1_20080130.exe
> hxxp://ohohoh.co.kr/ohx2oh/oh3/file/ohx2oh3_20080130.exe
> hxxp://ohohoh.co.kr/set/comm_20080327.exe
> hxxp://ohohoh.co.kr/totalupdate3/file/Favminisum_20080416.exe
> hxxp://ohohoh.co.kr/totalupdate3/file/favit_nzell01.exe
> hxxp://ohohoh.co.kr/totalupdate3/file/infoview_20080325.exe
> hxxp://www.ad-zero.com/appinfo/control/kpu1/file/ 
> controlkpu1_20071210.exe
> hxxp://www.ad-zero.com/appinfo/control/kpu2/file/ 
> controlkpu2_20071210.exe
> hxxp://www.ad-zero.com/appinfo/control/kpu3/file/ 
> controlkpu3_20071210.exe
> hxxp://www.ad-zero.com/appinfo/control/kpu6/file/ 
> controlkpu6_20071210.exe
> hxxp://www.ad-zero.com/appinfo/control2/kpu1/file/ 
> control2kpu1_20071227.exe
> hxxp://www.ad-zero.com/appinfo/control2/kpu1/file/ 
> control3zero1_20080130.exe
> hxxp://www.ad-zero.com/appinfo/control2/kpu1/file/ 
> wawaicon2_20080105.exe
> hxxp://www.ad-zero.com/appinfo/control2/kpu2/file/ 
> control2kpu2_20071227.exe
> hxxp://www.ad-zero.com/appinfo/control2/kpu2/file/ 
> control3zero2_20080130.exe
> hxxp://www.ad-zero.com/appinfo/control2/kpu2/file/ 
> wawaicon2_20080105.exe
> hxxp://www.ad-zero.com/appinfo/file/hidetest_1.exe
> hxxp://www.ad-zero.com/appinfo/file/nguide_20080212.exe
> hxxp://www.ad-zero.com/appinfo/kpu1/file/newkpu1_20071213.exe
> hxxp://www.ad-zero.com/appinfo/kpu2/file/newkpu2_20071213.exe
> hxxp://www.ad-zero.com/appinfo/kpu3/file/newkpu3_20071213.exe
> hxxp://www.garuyac.com/update/update_check.exe
> hxxp://www.ieshow.co.kr/download/control2one_20080130.exe
> hxxp://www.kpang.com/download/ieshow_20071217_silent.exe
> hxxp://www.kpang.com/download/winfc_20071224_wawa4.exe
> hxxp://www.kpang.com/kpangtoolbar/file/kpang_20071217_wawa2_silent.exe
> hxxp://www.kpang.com/kpangtoolbar/file/kpang_20071224_wawa4_silent.exe
> hxxp://www.spycatch.kr/appinfo/file/spycatch4ex1_20080130.exe
> hxxp://www.spycatch.kr/appinfo/file/spycatch4ex2_20080130.exe
> hxxp://www.spycatch.kr/appinfo/file/youshow_20080211.exe
> hxxp://www.uccgogo.co.kr/appinfo/control/m2a/file/hidetest_1.exe
> hxxp://www.uccgogo.co.kr/appinfo/control/random/file/ie_20071231.exe
> hxxp://www.uccgogo.co.kr/appinfo/control/random/file/ie_20080108.exe
> hxxp://www.uccgogo.co.kr/appinfo/one/file/ 
> controlrandom_one_20071217.exe
> hxxp://www.uccgogo.co.kr/appinfo/winfc/file/winfc_20071221_silent.exe
> hxxp://www.uccgogo.co.kr/totalupdate/file/gmarket_20080104.exe
> hxxp://www.uccgogo.co.kr/totalupdate/file/mini_icon_20080112.exe
> hxxp://www.uccgogo.co.kr/totalupdate/tu1/file/ 
> totalupdate2_wsn1_20080130.exe
> hxxp://www.uccgogo.co.kr/totalupdate/tu1/file/ 
> totalupdate2_wsn2_20080130.exe
> hxxp://www.uccgogo.co.kr/totalupdate/tu1/file/ 
> totalupdate2_wsn3_20080130.exe
> hxxp://www.uccgogo.co.kr/totalupdate/tu2/file/ 
> totalupdate2_20071231.exe
> hxxp://www.uccgogo.co.kr/totalupdate3/gks1/file/ 
> totalupdate3_gks1_20080307.e
> xe

3786    | 211.233.19.123   | down.cleancop.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.123   | down.ieguide.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.123   | down.onmuz.com  | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.123   | down.patchup.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.123   | down.savemoneyshop.com | LGDACOM LG  
DACOM Corporation
3786    | 211.233.19.123   | down.tc-hacking.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.123   | down.voneclick.com | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.123   | down.widpia.com | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.123   | down.you-ware.com | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.124   | down.cleancop.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.124   | down.ieguide.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.124   | down.onmuz.com  | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.124   | down.patchup.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.124   | down.savemoneyshop.com | LGDACOM LG  
DACOM Corporation
3786    | 211.233.19.124   | down.tc-hacking.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.124   | down.voneclick.com | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.124   | down.widpia.com | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.124   | down.you-ware.com | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.248   | down.cleancop.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.248   | down.ieguide.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.248   | down.onmuz.com  | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.248   | down.patchup.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.248   | down.savemoneyshop.com | LGDACOM LG  
DACOM Corporation
3786    | 211.233.19.248   | down.tc-hacking.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.248   | down.voneclick.com | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.248   | down.widpia.com | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.248   | down.you-ware.com | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.249   | down.cleancop.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.249   | down.ieguide.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.249   | down.onmuz.com  | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.249   | down.patchup.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.249   | down.savemoneyshop.com | LGDACOM LG  
DACOM Corporation
3786    | 211.233.19.249   | down.tc-hacking.co.kr | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.249   | down.voneclick.com | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.249   | down.widpia.com | LGDACOM LG DACOM  
Corporation
3786    | 211.233.19.249   | down.you-ware.com | LGDACOM LG DACOM  
Corporation
4766    | 220.95.231.82    | 220.95.231.82   | KIXS-AS-KR Korea Telecom
4766    | 222.122.163.18   | ohohoh.co.kr    | KIXS-AS-KR Korea Telecom
4766    | 61.80.91.66      | www.spycatch.kr | KIXS-AS-KR Korea Telecom
9318    | 116.126.142.103  | garuyac.com     | HANARO-AS Hanaro  
Telecom Inc.
9318    | 116.127.121.26   | www.ieshow.co.kr | HANARO-AS Hanaro  
Telecom Inc.
9318    | 116.127.121.28   | www.uccgogo.co.kr | HANARO-AS Hanaro  
Telecom Inc.
9318    | 121.125.64.205   | downfile.wawadisk.com | HANARO-AS Hanaro  
Telecom Inc.
9318    | 121.125.68.121   | 121.125.68.121  | HANARO-AS Hanaro  
Telecom Inc.
9318    | 222.239.255.16   | kpang.com       | HANARO-AS Hanaro  
Telecom Inc.
9318    | 222.239.255.16   | www.kpang.com   | HANARO-AS Hanaro  
Telecom Inc.
9318    | 222.239.255.18   | www.ad-zero.com | HANARO-AS Hanaro  
Telecom Inc.
18302   | 211.115.11.244   | cyimg8.cyworld.nate.com | SKG_NW-AS-KR  
SK Global co., Ltd

More information about the nsp-security mailing list