[nsp-sec] ACK 3356 - Mebroot/Torpig (AS 10316, 8001, 21844, 32475)

David Rossbach david at rossbachs.com
Wed Apr 15 11:25:02 EDT 2009 

ACK AS3356

d/s has been notified.

David Rossbach
Level3 Communications



----- Original Message ----- 
From: "Tom Fischer" <tfischer at bfk.de>
To: <nsp-security at puck.nether.net>
Sent: Tuesday, April 14, 2009 12:06 PM
Subject: [nsp-sec] Mebroot/Torpig (AS 10316, 8001, 21844, 32475)


> ----------- nsp-security Confidential --------
>
> Hi,
>
> Mebroot (MBR rootkit) changed the domain name algorithm.
> The new domains are:
>
> wvvexfux.com
> fikjugsg.com
> xtjhvcjh.com
> khdjehsk.com
> jfsbwskh.com
> dfhkxefj.com
> dbxgkwwc.com
> jdkhvjig.com
> hvfbecvw.com
> dwxiedwc.com
>
> all with the following Registrant whois data:
> Registrant:
>         Debora Rogni Debora at msn.com +1.8783429675
>         NA
>         13586 Deer Trail Court
>         Saratoga,CA,US 95070
>
> and currently pointing to
> xtjhvcjh.com.           60      IN      A       206.225.86.123
> ;; AUTHORITY SECTION:
> xtjhvcjh.com.           60      IN      NS      ns1.everydns.net.
> xtjhvcjh.com.           60      IN      NS      ns3.everydns.net.
> xtjhvcjh.com.           60      IN      NS      ns4.everydns.net.
> xtjhvcjh.com.           60      IN      NS      ns2.everydns.net.
>
> AS      | IP               | AS Name
> 10316   | 206.225.86.123   | ABACUS-NET-AS - Abacus America Inc.
> PEER_AS | IP               | AS Name
> 3356    | 206.225.86.123   | LEVEL3 Level 3 Communications
>
>
> And Torpig (aka Sinowal, Anserin, ...) now uses the following domains:
> kolpinik.com
> mikorki.com
> pibidu.com
> yfesyrpa.net
> uwikdutu.com
> 66.29.115.68
>
> e.g.
> kolpinik.com.           60      IN      A       174.133.5.26
> ;; AUTHORITY SECTION:
> kolpinik.com.           60      IN      NS      ns3.everydns.net.
> kolpinik.com.           60      IN      NS      ns4.everydns.net.
> kolpinik.com.           60      IN      NS      ns2.everydns.net.
> kolpinik.com.           60      IN      NS      ns1.everydns.net.
>
> or
> uwikdutu.com.           22      IN      A       65.60.42.26
>
> first seen (UTC)    last seen (UTC)
> 2009-04-01 08:12:24 2009-04-01 08:12:24 cheviram.com A 174.133.5.26
> 2009-04-06 10:35:06 2009-04-06 10:35:06 gceakrpa.net A 174.133.5.26
> 2009-04-14 12:28:17 2009-04-14 12:28:17 yfesyrpa.net A 174.133.5.26
> 2009-04-06 10:41:38 2009-04-14 13:42:25 mikorki.com A 174.133.5.26
> 2009-04-07 13:11:59 2009-04-14 13:43:04 kolpinik.com A 174.133.5.26
> 2009-04-06 10:42:44 2009-04-14 14:10:35 pibidu.com A 174.133.5.26
>
> with the following Registrant whois data:
> Registrant:
>         Micha  Orko morok at yahoo.com +1.9052524300
>         NA
>         5672 Ambler Dr
>         Mississauga,Ontario,CA L4W 2N3
>
> or
> Registrant:
>         Admin proxyadmin at proxy.com +1.8537146942
>         Proxy INC
>         312 Capitol Suite 48
>         Houston,TX,US 77002
>
>
> AS      | IP               | AS Name
> 8001    | 66.29.115.68     | NET-ACCESS-CORP - Net Access Corporation
> 21844   | 174.133.5.26     | THEPLANET-AS - ThePlanet.com Internet 
> Services, Inc.
> 32475   | 65.60.42.26      | SINGLEHOP-INC - SingleHop
>
> Please terminate / null route the mentioned IPs. Thanks!
> @cymru: Please add the IPs to ddos-rs
>
> -- 
> Tom Fischer
> BFK edv-consulting GmbH                  tel: +49 721 962 01-1
> Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security 
> counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list