[nsp-sec] Yahoo phising account
Rob Thomas
robt at cymru.com
Fri May 23 15:25:10 EDT 2008
Hey, Seth.
Nicely done! I hope you don't mind if I kibbitz a bit. :)
> 32035 | 74.85.13.60 | US | arin | CCDT-AS - Telekenex
I suspect this is also a proxy. It's definitely been a bot in the past.
We see it scanning for TCP 445 (Win2K shares) on 2008-03-03 18:42:05
UTC, connecting to a public IRC network as a bot on 2008-02-23 06:03:30
UTC, joining storm on 2008-02-21 23:56:23 UTC, and doing a
PhatBot/AgoBot speedtest on 2008-02-23 10:42:06 UTC.
Hmm, now this is interesting - we see one DNS RR pointed to this IP.
timestamp | dns_name | ip
--------------------- -------------------------- -------------
2008-04-28 21:49:01 | piratos-hacker.no-ip.biz | 74.85.13.60
We see three malware samples in our malware menagerie that reference
this IP.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- ------------- ---------- ----------
------
2008-04-04 16:29:15 | 2183d89b0d2d367bed7ad2526ae21fcb043a61c6 |
a22d8b3a909bb890ed40d86576ee2d85 | 74.85.13.60 | 1800 | 6 |
2008-04-04 16:31:35 | 9f367e89df20c60a8e844fc5c99404a1d6adfaa1 |
78108a83086e34969c054cc87a0140d7 | 74.85.13.60 | 1800 | 6 |
2008-04-28 21:49:59 | b0116ad0881a7d0338803883f94b5c88a4f233e9 |
79eb9185916408b95f2d29c99dbe2c3a | 74.85.13.60 | 81 | 6 | 152
Ah, it's being used by a Tunisian miscreant as a bounce. Perhaps it's
both a bot and a malware hosting box.
Ah, looking further, it's definitely been a bot/proxy. It was connected
to a botnet on DALnet, channel #farm, back on 2008-05-11 19:17:57 UTC.
It had another bot on it that was sniffing that IRC C&C traffic. :)
Long screed, short summary: Bot, proxy, malware hoster.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
More information about the nsp-security
mailing list