[nsp-sec] Ping AS8001/AS36351 - possible botnet C&C
White, Gerard
Gerard.White at aliant.ca
Thu Mar 13 06:48:49 EDT 2008
Greetings.
Thanks Mr. O'Connell for the heads-up on this template-spam based
monster.
Thanks Mr. Thomas (as always) for the great detail.
Now that I've got quite a mess to deal with (bleh), here's a bit of
extra
detail that can help everyone here gauge how much of this you have in
your customer base.
After a closer look, there's quite a bit of C&C resiliency in this
beast.
C&C calls appear to query one of the following 4 domains patterns:
<random>.yi.org
<random>.mooo.com
<random>.dynserv.com
<random>.dyndns.org
Checking for *.yi.org and *.mooo.com activity against your DNS
infrastructure may give you a good indication of presence in your
customer
base.
If you attempt to block UDP/447 C&C comms to select targets, as Zoe
noted, you will observe the above DNS behavior in a more intensive
manner.
While it appears afraid.org have 127.0.0.2'ed the *.mooo.com domain, we
have
crackerjack.net that's keeping the *.yi.org domain alive. The odd
<random>
query towards dynserv & dyndns also does produce a good response.
UDP/447 payloads appear to use crypto... Average payload size is around
82 bytes.
If you research the md5's that Mr. Thomas has provided, you will see
rather
dismal results of < 30% AV coverage.
GW
855 - Aliant
More information about the nsp-security
mailing list