[nsp-sec] Heads-up BT (2856): Nasty DDoS Botnet C&C in your neck ofthe IP Woods

francesco.catalanotto at bt.com francesco.catalanotto at bt.com
Mon Sep 22 05:30:44 EDT 2008 

Ack. We are profiling the traffic and will post any information regarding
addresses communicating with this botnet C&C as soon as possible.


Regards
Francesco Catalanotto
BT UK - 2856

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of White, Gerard
Sent: 19 September 2008 00:14
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Heads-up BT (2856): Nasty DDoS Botnet C&C in your neck
ofthe IP Woods

----------- nsp-security Confidential --------

Greetings

Check for flows to:

AS      | IP               | AS Name
2856    | 86.158.74.89     | BT-UK-AS BTnet UK Regional network

on a variety of TCP ports...  Currently using TCP/3070 right now
with this rather unique (to me) malware identified as:
http://www.virustotal.com/analisis/c1f289289aba5238f294e91ae165d3cf

What makes this Bot unique to me is the ASCII based comms it employs:

Bot> Status*(Idle...)*
C&C< kill-77.74.196.203 :27016%
Bot> Status*(UDP Attack Running!)*
C&C< stop-kill
Bot> Status*(Idle...)*

Meanwhile this poor UKSERVERS server in this example proceeded to take
quite the spankin' afterwards...  There is an appropriate UDP payload
of "X-R own you bitch!"

DNS-RRs include:
de9.no-ip.info       (This unique Bot)
dxcvg94.scrapping.cc ("Traditional" IRC Bot on TCP/8334 using
msn-spreading
                      techniques for propagation)

I have strong reason to believe this "Agent.BL" bot was involved in the
"shadowserver" spanking
in the past several days...

GW
855 - Bell Aliant



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5972 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080922/1dae2004/attachment-0001.bin>

More information about the nsp-security mailing list