[nsp-sec] 1Million Botnet Ips

Par Osterberg Medina par.osterberg at sitic.se
Wed Jul 30 04:04:01 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Sorry for ACK:in to this so late. Vacation is a wonderful thing, at
least for me;)

Proxy-ACK for the Swedish ASN in
http://www.cert.at/static/xi3shiZiexu/ips_SE.csv

Mvh / Regards
Pär Österberg Medina - Sitic, GovCERT-SE


Stephen Gill wrote:
> ----------- nsp-security Confidential --------
> 
> Hi Team,
> 
> Cert.at has assembled an excellent report on the nadnadzzz.info botnet along
> with a large list of compromised IPs!  They have put together an analysis
> summary and individual report files of compromised hosts sorted by ASN at
> the following location:
> 
>     http://www.cert.at/static/xi3shiZiexu/ips_by_AS/
>     username: nadnadzzz
>     pass: letmein
> 
> Please do not share this URL outside of the nsp-sec community.  If you can
> proxy for an entire country, you may be interested in perusing the cctld
> files here:
> 
>     http://www.cert.at/static/xi3shiZiexu/ips_$CC.csv
>     username: nadnadzzz
>     pass: letmein
>     * Where $CC is your ccTLD country code in capital letters (e.g. "MX")
> 
> The report, not for redistribution can be found here:
> 
>     http://www.cert.at/static/xi3shiZiexu/botnetpaper2.pdf
> 
> Finally, here is a brief summary from their team:
> 
>> nadnadzzz.info botnet analysis
>> ==============================
>>
>> CERT.at has been analysing the nadnadzzz.info botnet. We were able to track
>> the botnet and extract a list of affected IP addresses.
>> It contains around 950,000 different IPs.
>> While the list is probably not exhaustive and while we expect further C&C
>> servers, we want to share this info with concerned parties from ns-psec and
>> the wider CERT community.
> 
>> C&C servers
>> ----------------------
>> 67.43.232.36/32 - seems to be down or blocks us as of 2008/06/30
>> 211.95.79.151/32 - seems to be down or blocks us as of 2008/06/30
>> 211.95.79.165/32 - seems to be down or blocks us as of 2008/06/30
>> 220.196.42.156/32 - seems to be down or blocks us as of 2008/06/30
>> 61.174.17.90/32  - alive as of 2008/06/30
>> 61.174.17.89/32  - alive as of 2008/07/03 17:00    UTC+02
>>
>> Protocol: IRC
>> Port: 7000
>>
>>
>> 5 most affected countries:
>>  cnt_ips | countrycode
>>     ---------+-------------
>>  254660 | MX
>>  202109 | BR
>>   52377  | CL
>>   50078  | IN
>>   43725  | PL
>>
>>
>> We would appreciate feedback at team at cert.at
> 
> Enjoy, and have a Happy 4th of July ;D.
> 
> Cheers,
> Steve, Team Cymru.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIkCBxpIEfudwUi78RAqhQAJ471C9XGEgRNBWP9bThLbwCf8T1eACgjKLN
yFLwKJW3w8N7JGo81aaKx7g=
=muTu
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list