[nsp-sec] Bot C&C at AS 6389 (BellSouth)

Wed Oct 22 10:39:23 EDT 2008

Hey, Dan.

> We see an IRC bonet C&C server at 65.12.238.82.  The malware associated
> with this seems to be IRCFlood/zapchast.

Yeah that' fella has been around since at least 2008-06-09 08:06:31 UTC.
 The C&C ports have included 7000 and 6666.  The server password appears
to be "123123" (no quotes) for both ports.

Looks like they've had a few permutations of their bot.

      timestamp      |                   sha1                   |
        md5                |    dst_ip    | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- -------------- ---------- ----------
------
 2008-06-08 21:50:19 | 1475a61897ba25dc6fb7e9659981d6c319ae48a5 |
7eb0b30e2959a624c598846daa2e0993 | 65.12.238.82 |     7000 |        6 |
 2008-09-15 16:44:20 | 3d784037e1619c5607ee31cd944d0957d853077d |
b8ebaee04a30d9bddab415c1ecdf5221 | 65.12.238.82 |     7000 |        6 |    0
 2008-06-08 17:50:06 | 462177a644bf0f3107011fd30cefb8539ef1e2aa |
19627e5f3c9b84b008255eae575b6b34 | 65.12.238.82 |     7000 |        6 |
 2008-09-29 20:08:54 | 60daae6379448b009119d0363b47fd79ccebada0 |
ff44d48468779a7c7314dcdd4189e0be | 65.12.238.82 |     6667 |        6 |
 2008-09-15 19:14:40 | 82899cb5ec7bd36796d546a210555eb6a76d232b |
25f3d96effbd0c4c10d949dd645e5691 | 65.12.238.82 |     7000 |        6 |    0
 2008-10-16 21:30:57 | 92b27c7b31f6281d79fff7aa6be00e04da4a6f59 |
1e346455a5f548b2559ece3272fe867f | 65.12.238.82 |     7000 |        6 |    0
 2008-09-18 14:12:38 | b0fcc1277913d16c4e218d95ebb78d735c65c888 |
a4966061759af241284ee289dc327b18 | 65.12.238.82 |     7000 |        6 |    0
 2008-06-08 16:50:29 | f3c548727fb39dc02c4b7ab98de3c38a6584c3e5 |
5a3b56d5461c1cf7fc1df0a2d4420dab | 65.12.238.82 |     7000 |        6 |

Other possible DNS RRs:

rbo.ircqforum.com

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");