[nsp-sec] More password stealers and drops - AS13301, AS24940, AS7738,

jose nazario jose at arbor.net
Wed Mar 26 11:43:05 EDT 2008 

Any help in getting these live password stealer drops taken down would be
appreciated. I'll contact the contact emails separately but don't expect to
find much success.

This is what I've been able to find since the start of march, 2008, in our
malware  archive. 



Malware MD5: d3af720b2432be142d23993745c52165

AS      | IP               | AS Name
13301   | 213.202.225.90   | UNITEDCOLO-AS Autonomous System of
unitedcolo.de

username="funmopal"
password="password5512004"

Whois for that netblock:

person:         Alexander Liemen
address:        Bergler & Liemen GbR
address:        Prager Strasse 2a
address:        01069 Dresden
e-mail:         alexander at liemen.net
phone:          +49-351-440474050
fax-no:         +49-351-440474051
mnt-by:         MNT-UNITEDCOLO
nic-hdl:        AL3476-RIPE
source:         RIPE # Filtered


Over 75 compromised machines with about 2000 compromised accounts (facebook,
myspace, email, etc).

-------

Malware md5: 27b22e603bd7d2de9cbcab53962878f7

username="web51f3" 
password="27122712"

More steam password stealer drops.

Bulk mode; whois.cymru.com [2008-03-26 15:18:55 +0000]
24940   | 213.239.207.82   | HETZNER-AS Hetzner Online AG RZ-Nuernberg


role:           Hetzner Online AG - Contact Role
address:        Hetzner Online AG
address:        Industriestr. 6
address:        D-91710 Gunzenhausen
address:        Germany
phone:          +49 9831 61 00 61
fax-no:         +49 9831 61 00 62
e-mail:         ripe at hetzner.de



Many dozen compromised accounts.

------

Malware md5: e9a0c8602fe2539270ad03109b23bcbb

username="extremeaudi"
password="102030,"

7738    | 200.149.77.62    | Telecomunicacoes da Bahia S.A.

inetnum:     200.149.77/24
aut-num:     AS7738
abuse-c:     CGR13
owner:       Ambiente Design LTDA
ownerid:     003.445.521/0001-40
responsible: Luciana C. G. de Souza
owner-c:     HTW
tech-c:      MTJ13
inetrev:     200.149.77/24
nserver:     ns1.oi.com.br
nsstat:      20080325 AA
nslastaa:    20080325
nserver:     ns2.oi.com.br
nsstat:      20080325 AA
nslastaa:    20080325
nserver:     ns3.oi.com.br
nsstat:      20080325 AA
nslastaa:    20080325
nserver:     ns4.oi.com.br
nsstat:      20080325 AA
nslastaa:    20080325
created:     20060214
changed:     20080324
inetnum-up:  200.149.0/17


All stored files have 0 bytes, 27 stored unique files.

Same IP, different account, new malware:

Malware md5: 3f797547d6874e2fac7990b6fbaf01e0

username="ftp22" 
password="220901"

Many files (20 dozen or so) stored here, all lightly encrypted/obfuscated.


-------------------------------------------------------------
jose nazario, ph.d.  <jose at arbor.net>
security researcher, office of the CTO
Arbor Networks
v: +1 734 821 1427
m: +1 734 693 2969
PGP: 0x40A7BF94
www.arbornetworks.com
-------------------------------------------------------------

More information about the nsp-security mailing list