[nsp-sec] intercage/atrivo

Smith, Donald Donald.Smith at qwest.com
Wed Sep 17 10:17:00 EDT 2008 

If you know this is happen and can guess when you could go http gets and
record the ip id.
When it switches from .4 to .5 the ip id should stay sequential, unless
there is a reboot or tcp/ip stack reset of some type.


Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Chris Morrow
> Sent: Tuesday, September 16, 2008 5:41 PM
> To: Jose Nazario
> Cc: nsp-security NSP; Darren Grabowski
> Subject: Re: [nsp-sec] intercage/atrivo
> 
> ----------- nsp-security Confidential --------
> 
> So... I think some/a-lot of the problem with atrivo (Emil) is that he 
> plays the dumb-dupe very well: "Oh, another one of my 
> customers is being 
> abusive? Spreading malware? Involved with ZLob? Oh, I'll 
> terminate them 
> right now!"
> 
> Which most often in the past has meant:
> 
> ifconfig eth0 1.2.3.4 down
> ifconfig eth0 1.2.3.5 up
> 
> "Ok, all terminated, wow thanks for the note!"
> 
> If he's not aware that his AS and the customers of his AS have been 
> involved with a very large and ongoing set of malware and 
> abuse issues 
> he's either really, really, really dumb or deaf/blind/dumb/fingerless.
> 
> Given the last 4+ years of abuse centered around 
> Atrivo/Intercage I just 
> can't believe that he's completely un-awares of the situation.
> 
> Joe St Suaver from u-Oregon may have some 
> more/better/detailed information 
> on Atrivo... Spamhaus (despite my normal 'f-spamhaus' 
> attitude) really has 
> a decent trove as well.
> 
> -Chris
> 
> On Tue, 16 Sep 2008, Jose Nazario wrote:
> 
> > ----------- nsp-security Confidential --------
> >
> > On Tue, 16 Sep 2008, Darren Grabowski wrote:
> >
> >> Does anyone have anything active on Atrivo?  I've been 
> told that "he is 
> >> innocent, this is a bunch of heresy, 95% of what is said 
> is not true, it's 
> >> all the Russians" and stuff like that.
> >
> > very little in the past 24h.
> >
> > ATLAS DETAILED REPORT: 27595
> >
> > Generated: Tue Sep 16 23:12:18 2008 UTC
> > Covers 24 hour time period through now.
> >
> > DENIAL OF SERVICE
> > OBSERVED INBOUND ATTACKS
> > Based on actual alerts gathered in our Internet statistics project.
> > Start, End, Dest CIDR, Dest ASN, Dest CC, Max BPS, Max PPS
> > 1221434509, 1221435786, "216.255.184.150/32", "27595", US, 
> 163104, 51
> > 1221356595, 1221434466, "216.255.184.150/32", "27595", US, 
> 1944056, 312
> >
> > MALICIOUS CLIENTS
> > Scans
> > Based on ATLAS honeypot sensors.
> > IP, Cumulative Bytes
> > 67.210.4.138, 21508.0
> > 67.210.3.106, 18957.0
> > 67.210.4.162, 14695.0
> > 67.210.3.178, 11526.0
> > 67.210.3.2, 10569.0
> > 67.210.4.178, 10315.0
> > 67.210.3.26, 9761.0
> > 67.210.3.130, 8890.0
> > 67.210.3.34, 8158.0
> > 216.255.176.186, 7980.0
> > 67.210.3.10, 7863.0
> > 67.210.3.98, 7157.0
> > 67.210.3.122, 7010.0
> > 67.210.4.186, 6715.0
> > 67.210.3.218, 6081.0
> > 67.210.3.50, 3945.0
> > 67.210.3.42, 3874.0
> > 67.210.4.50, 3783.0
> > 67.210.4.82, 3335.0
> > 67.210.3.154, 3297.0
> > 67.210.3.114, 3292.0
> > 67.210.3.194, 3211.0
> > 67.210.4.58, 3163.0
> > 67.210.4.170, 2939.0
> > 67.210.3.18, 2831.0
> > 67.210.4.154, 2219.0
> > 67.210.3.66, 2045.0
> > 67.210.4.90, 1806.0
> > 67.210.4.42, 1679.0
> > 67.210.3.186, 1222.0
> > 67.210.3.90, 975.0
> > 67.210.3.202, 826.0
> > 67.210.3.58, 724.0
> > 67.210.4.66, 645.0
> > 67.210.4.98, 576.0
> > 67.210.4.74, 432.0
> > 69.50.180.34, 384.0
> > other, 0
> >
> > MALICIOUS SERVERS
> > Malicious Links
> > URLs contacted by malware during automated analysis. 
> Timestamp, CC, ASN, IP, 
> > URL
> > 1221537600, CY, 27595, 69.50.175.194, 
> > "http://69.50.175.194/ca/count.php?flsh=0&pion=0&p=84626410&a=0003"
> > 1221537600, US, 27595, 64.28.181.230, 
> "http://64.28.181.230/path.txt"
> >
> >
> >
> > -------------------------------------------------------------
> > jose nazario, ph.d.     <jose at arbor.net>
> > security researcher, office of the CTO,  arbor networks
> > v: (734) 821 1427 	      http://asert.arbornetworks.com/
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security 
> > counter-measures.
> > _______________________________________________
> >
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list