[nsp-sec] Ddos controller - caatadgouk.com

[Stephen Gill]

> Other potential C&C URLs include:
> 
>     http://abmmrvthjr.com/dl/adv450.php
>     http://caatadgouk.com/dl/adv434.php
>     http://ccfelomvhk.com/dl/adv542.php

These showed up as well:

 http://cgnluarlce.com/ddos.php
 http://eaelzkkodp.com/ddos.php
 http://ebtadejfqm.com/ddos.php
 http://ecunglllos.com/ddos.php
 http://egymoxrsoo.com/ddos.php
 http://ehagvzyfrt.com/ddos.php

 http://cgnluarlce.com/ddos1.php
 http://eaelzkkodp.com/ddos1.php
 http://ebtadejfqm.com/ddos1.php
 http://ecunglllos.com/ddos1.php
 http://egymoxrsoo.com/ddos1.php
 http://ehagvzyfrt.com/ddos1.php

...

These were hosting uniq.php?id= C&Cs:

 85.255.119.92
 85.255.119.93
 85.255.121.195
 85.255.121.196
 91.203.92.17
 91.203.92.18
 aarmrgdxrv.com
 abmmrvthjr.com
 acdedblshd.com
 adtctqypoa.com
 aevqritikn.com
 afhncitbkg.com
 agflvkgwef.com
 ahcieqdgbv.com
 bapoyxaqpx.net
 bbjsokauim.net
 bcgdbkzlbu.net
 bdpnyzxeio.net
 bemrmqnngu.net
 caatadgouk.com
 cbfcygxyfn.com
 ccfelomvhk.com
 cdpuvbhfzz.com
 ceqypawkht.com
 cffhqznqzd.com
 cgnluarlce.com
 chbdvrnfag.com
 ddwyimcrvz.net
 dfneywxasy.net
 eaelzkkodp.com
 ebtadejfqm.com
 ecunglllos.com
 edfilygxrj.com
 egymoxrsoo.com
 ehagvzyfrt.com
 qagwetobzb.com
 xabmiphabh.cn
 yaxmtxhfen.biz
 zagevqsoii.biz

Doing host lookups and AS mappings for the above we get:

Bulk mode; whois.cymru.com [2008-06-27 17:24:10 +0000]
10487   | 216.188.26.235   | SIMPLENET - Simple Network Communications, Inc
10487   | 216.188.26.237   | SIMPLENET - Simple Network Communications, Inc
21740   | 69.64.155.127    | ENOMAS1 - eNom, Incorporated
44997   | 91.203.92.17     | UATELECOM-AS UATELECOM LTD.
44997   | 91.203.92.18     | UATELECOM-AS UATELECOM LTD.

Is there a well known name for this malware family?

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com