[nsp-sec] More password stealers and drops - AS13301, AS24940, AS7738,
Rob Thomas
robt at cymru.com
Wed Mar 26 13:03:12 EDT 2008
Hey, Jose.
Is the access all through FTP? I'm trying to assemble a list of
probable compromised hosts.
Thanks!
Rob.
jose nazario wrote:
> ----------- nsp-security Confidential --------
>
> Any help in getting these live password stealer drops taken down would be
> appreciated. I'll contact the contact emails separately but don't expect to
> find much success.
>
> This is what I've been able to find since the start of march, 2008, in our
> malware archive.
>
>
>
> Malware MD5: d3af720b2432be142d23993745c52165
>
> AS | IP | AS Name
> 13301 | 213.202.225.90 | UNITEDCOLO-AS Autonomous System of
> unitedcolo.de
>
> username="funmopal"
> password="password5512004"
>
> Whois for that netblock:
>
> person: Alexander Liemen
> address: Bergler & Liemen GbR
> address: Prager Strasse 2a
> address: 01069 Dresden
> e-mail: alexander at liemen.net
> phone: +49-351-440474050
> fax-no: +49-351-440474051
> mnt-by: MNT-UNITEDCOLO
> nic-hdl: AL3476-RIPE
> source: RIPE # Filtered
>
>
> Over 75 compromised machines with about 2000 compromised accounts (facebook,
> myspace, email, etc).
>
> -------
>
> Malware md5: 27b22e603bd7d2de9cbcab53962878f7
>
> username="web51f3"
> password="27122712"
>
> More steam password stealer drops.
>
> Bulk mode; whois.cymru.com [2008-03-26 15:18:55 +0000]
> 24940 | 213.239.207.82 | HETZNER-AS Hetzner Online AG RZ-Nuernberg
>
>
> role: Hetzner Online AG - Contact Role
> address: Hetzner Online AG
> address: Industriestr. 6
> address: D-91710 Gunzenhausen
> address: Germany
> phone: +49 9831 61 00 61
> fax-no: +49 9831 61 00 62
> e-mail: ripe at hetzner.de
>
>
>
> Many dozen compromised accounts.
>
> ------
>
> Malware md5: e9a0c8602fe2539270ad03109b23bcbb
>
> username="extremeaudi"
> password="102030,"
>
> 7738 | 200.149.77.62 | Telecomunicacoes da Bahia S.A.
>
> inetnum: 200.149.77/24
> aut-num: AS7738
> abuse-c: CGR13
> owner: Ambiente Design LTDA
> ownerid: 003.445.521/0001-40
> responsible: Luciana C. G. de Souza
> owner-c: HTW
> tech-c: MTJ13
> inetrev: 200.149.77/24
> nserver: ns1.oi.com.br
> nsstat: 20080325 AA
> nslastaa: 20080325
> nserver: ns2.oi.com.br
> nsstat: 20080325 AA
> nslastaa: 20080325
> nserver: ns3.oi.com.br
> nsstat: 20080325 AA
> nslastaa: 20080325
> nserver: ns4.oi.com.br
> nsstat: 20080325 AA
> nslastaa: 20080325
> created: 20060214
> changed: 20080324
> inetnum-up: 200.149.0/17
>
>
> All stored files have 0 bytes, 27 stored unique files.
>
> Same IP, different account, new malware:
>
> Malware md5: 3f797547d6874e2fac7990b6fbaf01e0
>
> username="ftp22"
> password="220901"
>
> Many files (20 dozen or so) stored here, all lightly encrypted/obfuscated.
>
>
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> security researcher, office of the CTO
> Arbor Networks
> v: +1 734 821 1427
> m: +1 734 693 2969
> PGP: 0x40A7BF94
> www.arbornetworks.com
> -------------------------------------------------------------
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
ASSERT(coffee != empty);
More information about the nsp-security
mailing list