[nsp-sec] Ping Yahoo: C&C domain at Yahoo NS (chat-shqip.org)

Dave Woutersen (GOVCERT.NL) dave.woutersen at govcert.nl
Fri Jun 13 09:25:58 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

In the past months the following domain has been moving around allot and is
currently being used as a active C&C: chat-shqip.org

Name servers for this domain:
chat-shqip.org.        83041    IN    NS    ns9.san.yahoo.com.
chat-shqip.org.        83041    IN    NS    ns8.san.yahoo.com.
chat-shqip.org.        83041    IN    NS    yns2.yahoo.com.
chat-shqip.org.        83041    IN    NS    yns1.yahoo.com.

AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
26283   | 66.54.153.162    | 66.54.152.0/23      | US | arin     |
2000-12-22 | NCIC - Northern Colorado Internet Coop

This one is in the ddos-rs as:
26283 | NCIC - Northern Colorado Internet Coop | 66.54.153.162   | tcp  |
13001 | 2008-06-12 20:25:55 | 2008-06-20 20:25:55 | bot | 0 | 0 | ID:
DNSRR: b0y.chat-shqip.org PORTS: 12351_2400

When the bot is executed this is what happens currently: (15:00 GMT+2)

Tried resolving proxim.ircgalaxy.pl -> fails
Tries resolving chat-shqip.org -> success -> 66.54.153.162

Starts a IRC session with 66.54.153.162:13001

=======================

NICK `pxwpqjbi
USER `pxwpqjbi 0 0 :`pxwpqjbi
:aaa.58539.com 001 `pxwpqjbi :time, `pxwpqjbi!~pxwpqjbi at 194.171.x.x
:aaa.58539.com 005 `pxwpqjbi MAP KNOCK SAFELIST HCN MAXCHANNELS=500
MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=15 AWAYLEN=307
:are supported by this server
:aaa.58539.com 005 `pxwpqjbi WALLCHOPS WATCH=128 SILENCE=15 MODES=12
CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSMT
NETWORK=time CASEMAPPING=ascii EXTBAN=~,cqr :are supported by this server
:aaa.58539.com 422 `pxwpqjbi :MOTD File is missing
:`pxwpqjbi MODE `pxwpqjbi :+i
JOIN #.has hs
USERHOST `pxwpqjbi
JOIN #.has hs
USERHOST `pxwpqjbi
JOIN #.has hs
USERHOST `pxwpqjbi
:`pxwpqjbi!~pxwpqjbi at 194.171.x.x JOIN :#.has
:aaa.58539.com 332 `pxwpqjbi #.has :`i.join #.r |`sniff.on -s
:aaa.58539.com 333 `pxwpqjbi #.has sd 1213317513
:aaa.58539.com 353 `pxwpqjbi @ #.has :`pxwpqjbi
:aaa.58539.com 366 `pxwpqjbi #.has :End of /NAMES list.
JOIN #.r
:aaa.58539.com 302 `pxwpqjbi :`pxwpqjbi=+~pxwpqjbi at 194.171.x.x  
:aaa.58539.com 302 `pxwpqjbi :`pxwpqjbi=+~pxwpqjbi at 194.171.x.x  
:aaa.58539.com 302 `pxwpqjbi :`pxwpqjbi=+~pxwpqjbi at 194.171.x.x  
:`pxwpqjbi!~pxwpqjbi at 194.171.30.1 JOIN :#.r
:aaa.58539.com 332 `pxwpqjbi #.r :`adv.start lsass 80 3 0 -r -b |`adv.start
lsass 100 3 0 217.x.x.x -r -s |`adv.start lsass 100 3 0 80.x.x.x -r -s
|`adv.start lsass 100 3 0 82.x.x.x -r -s |`adv.start lsass 62.x.x.x -r -s
|`adv.start lsass 100 3 0 213.x.x.x -r |`adv.start lsass 100 3 0 83.x.x.x
- -r -s |`adv.start lsass 100 3 0 81.x.x.x -r -s
:aaa.58539.com 333 `pxwpqjbi #.r s 1213223228
:aaa.58539.com 353 `pxwpqjbi @ #.r :`pxwpqjbi
:aaa.58539.com 366 `pxwpqjbi #.r :End of /NAMES list.

==========================

For what its worth, maybe something can be done DNS-wise for this record ?
Thanks in advance!
With kind regards,
Dave Woutersen

- --
Dave Woutersen
security specialist

GOVCERT.NL
T +31 70 888 75 55
I www.govcert.nl
E dave.woutersen at govcert.nl

PGP Fingerprint: C87E 47E2 89D8 5DFB C86F  A3F3 1557 E2E9 AC15 7DD5

GOVCERT.NL is the Computer Emergency Response Team for the Dutch
Government. We support the government in preventing and dealing with
IT-related security incidents.


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.4 (Build 4042)

iQA/AwUBSFJ1ZEvUPFJLM5FwEQJmqgCgi1ZHl6V9dXpArMsgBzQCzomV0ZoAnRNZ
e3hQOIgoICRAKYVocORJ+XFH
=IE4O
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list