[nsp-sec] Mebroot/Torpig (AS 10316, 8001, 21844, 32475)

Tom Fischer tfischer at bfk.de
Tue Apr 14 13:06:09 EDT 2009 

Hi,

Mebroot (MBR rootkit) changed the domain name algorithm. 
The new domains are:

wvvexfux.com
fikjugsg.com
xtjhvcjh.com
khdjehsk.com
jfsbwskh.com
dfhkxefj.com
dbxgkwwc.com
jdkhvjig.com
hvfbecvw.com
dwxiedwc.com

all with the following Registrant whois data:
Registrant:
         Debora Rogni Debora at msn.com +1.8783429675
         NA
         13586 Deer Trail Court
         Saratoga,CA,US 95070

and currently pointing to
xtjhvcjh.com.           60      IN      A       206.225.86.123
;; AUTHORITY SECTION:
xtjhvcjh.com.           60      IN      NS      ns1.everydns.net.
xtjhvcjh.com.           60      IN      NS      ns3.everydns.net.
xtjhvcjh.com.           60      IN      NS      ns4.everydns.net.
xtjhvcjh.com.           60      IN      NS      ns2.everydns.net.

AS      | IP               | AS Name
10316   | 206.225.86.123   | ABACUS-NET-AS - Abacus America Inc.
PEER_AS | IP               | AS Name
3356    | 206.225.86.123   | LEVEL3 Level 3 Communications


And Torpig (aka Sinowal, Anserin, ...) now uses the following domains:
kolpinik.com
mikorki.com
pibidu.com
yfesyrpa.net
uwikdutu.com
66.29.115.68

e.g.
kolpinik.com.           60      IN      A       174.133.5.26
;; AUTHORITY SECTION:
kolpinik.com.           60      IN      NS      ns3.everydns.net.
kolpinik.com.           60      IN      NS      ns4.everydns.net.
kolpinik.com.           60      IN      NS      ns2.everydns.net.
kolpinik.com.           60      IN      NS      ns1.everydns.net.

or
uwikdutu.com.           22      IN      A       65.60.42.26

first seen (UTC)    last seen (UTC)
2009-04-01 08:12:24 2009-04-01 08:12:24 cheviram.com A 174.133.5.26  
2009-04-06 10:35:06 2009-04-06 10:35:06 gceakrpa.net A 174.133.5.26  
2009-04-14 12:28:17 2009-04-14 12:28:17 yfesyrpa.net A 174.133.5.26  
2009-04-06 10:41:38 2009-04-14 13:42:25 mikorki.com A 174.133.5.26  
2009-04-07 13:11:59 2009-04-14 13:43:04 kolpinik.com A 174.133.5.26  
2009-04-06 10:42:44 2009-04-14 14:10:35 pibidu.com A 174.133.5.26 

with the following Registrant whois data:
Registrant:
         Micha  Orko morok at yahoo.com +1.9052524300
         NA
         5672 Ambler Dr
         Mississauga,Ontario,CA L4W 2N3

or 
Registrant:
         Admin proxyadmin at proxy.com +1.8537146942
         Proxy INC
         312 Capitol Suite 48
         Houston,TX,US 77002


AS      | IP               | AS Name
8001    | 66.29.115.68     | NET-ACCESS-CORP - Net Access Corporation
21844   | 174.133.5.26     | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
32475   | 65.60.42.26      | SINGLEHOP-INC - SingleHop

Please terminate / null route the mentioned IPs. Thanks!
@cymru: Please add the IPs to ddos-rs

-- 
Tom Fischer
BFK edv-consulting GmbH                  tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99

More information about the nsp-security mailing list