[nsp-sec] Heads-up BT (2856): Nasty DDoS Botnet C&C in your neck ofthe IP Woods
david.harcourt at bt.com
david.harcourt at bt.com
Thu Sep 18 19:31:54 EDT 2008
Gerard,
Thanks. I'll prod our network security team to ensure they are looking into it.
Dave
-----Original Message-----
From: nsp-security-bounces at puck.nether.net <nsp-security-bounces at puck.nether.net>
To: nsp-security at puck.nether.net <nsp-security at puck.nether.net>
Sent: Fri Sep 19 00:14:27 2008
Subject: [nsp-sec] Heads-up BT (2856): Nasty DDoS Botnet C&C in your neck ofthe IP Woods
----------- nsp-security Confidential --------
Greetings
Check for flows to:
AS | IP | AS Name
2856 | 86.158.74.89 | BT-UK-AS BTnet UK Regional network
on a variety of TCP ports... Currently using TCP/3070 right now
with this rather unique (to me) malware identified as:
http://www.virustotal.com/analisis/c1f289289aba5238f294e91ae165d3cf
What makes this Bot unique to me is the ASCII based comms it employs:
Bot> Status*(Idle...)*
C&C< kill-77.74.196.203 :27016%
Bot> Status*(UDP Attack Running!)*
C&C< stop-kill
Bot> Status*(Idle...)*
Meanwhile this poor UKSERVERS server in this example proceeded to take
quite the spankin' afterwards... There is an appropriate UDP payload
of "X-R own you bitch!"
DNS-RRs include:
de9.no-ip.info (This unique Bot)
dxcvg94.scrapping.cc ("Traditional" IRC Bot on TCP/8334 using
msn-spreading
techniques for propagation)
I have strong reason to believe this "Agent.BL" bot was involved in the
"shadowserver" spanking
in the past several days...
GW
855 - Bell Aliant
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list