[nsp-sec] new storm worm campaign, new peer list

Gabriel Iovino giovino at ren-isac.net
Mon Mar 3 14:16:16 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

ACK:

186     | 136.242.140.162  | 28145           | CUA-AS - The Catholic
University of America
589     | 129.120.97.5     | 11547           | UNT-CAMPUS-AS -
University of North Texas
2897    | 167.194.184.120  | 13550           | GEORGIA-1 - State of
Georgia (DOAS)
2897    | 167.194.219.232  | 13237           | GEORGIA-1 - State of
Georgia (DOAS)
2897    | 167.198.161.71   | 19061           | GEORGIA-1 - State of
Georgia (DOAS)
5661    | 131.247.152.4    | 19610           | USF - UNIVERSITY OF SOUTH
FLORIDA
11686   | 165.139.131.1    | 27420           | ENA - Education Networks
of America
11686   | 165.139.64.163   | 18169           | ENA - Education Networks
of America
11995   | 137.53.25.29     | 7018            | OHSU - Oregon Health &
Science University
13371   | 152.16.27.134    | 26005           | DUKE-INTERCHANGE - Duke
University

Thanks

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630

Jose Nazario wrote:
| ----------- nsp-security Confidential --------
|
|
|
| ------------------------------------------------------------------------
|
| new storm worm campaign with the classic "postcard" them. the peerlist
| included in the binary has been decoded and is attached.
|
| no timestamps as this is hardcoded into the binary (from one i fetched
| about an hour ago). look for flows inbound to your hosts and see if they
| reply.
|
| format:
| ASN    | IP           | UDP port         | Net name
| 44234   | 80.242.33.36     | 5860            | GAYA-AS Gaya, s.r.o.
|
| hope this helps,
|
| -------------------------------------------------------------
| jose nazario, ph.d.     <jose at arbor.net>
| security researcher, office of the CTO,  arbor networks
| v: (734) 821 1427           http://asert.arbornetworks.com/
|
|
| ------------------------------------------------------------------------
|
|
|
| _______________________________________________
| nsp-security mailing list
| nsp-security at puck.nether.net
| https://puck.nether.net/mailman/listinfo/nsp-security
|
| Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
| community. Confidentiality is essential for effective Internet
security counter-measures.
| _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkfMToAACgkQwqygxIz+pTsBfgCgl0/ghl7Ac1hJmz32HoQh2mv6
vlIAn3bCRmaKkHRVH+JE1vXwDBMNUXq3
=pRvG
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list