[nsp-sec] Mebroot/Torpig (AS 6461, 23352, 32475)

Janish, Nathan Nathan.Janish at Level3.com
Thu Apr 16 11:42:09 EDT 2009 

Working on getting this shut down.

Nathan Janish
Level3 Security
720.888.3350

-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Tom Fischer
Sent: Thursday, April 16, 2009 5:24 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Mebroot/Torpig (AS 6461, 23352, 32475)

----------- nsp-security Confidential --------

Hi,

Tom Fischer wrote:
> and e.g. pointing to
> xtjhvcjh.com.           60      IN      A       206.225.86.123
> ;; AUTHORITY SECTION:
> xtjhvcjh.com.           60      IN      NS      ns1.everydns.net.
> xtjhvcjh.com.           60      IN      NS      ns3.everydns.net.
> xtjhvcjh.com.           60      IN      NS      ns4.everydns.net.
> xtjhvcjh.com.           60      IN      NS      ns2.everydns.net.

moved from 206.225.86.123 to 65.60.34.186

first seen (UTC)    last seen (UTC)
2009-04-15 19:02:08 2009-04-15 19:05:14 xtjhvcjh.com A 65.60.34.186
2009-04-15 23:10:41 2009-04-15 23:10:41 uxkkexss.biz A 65.60.34.186
2009-04-16 09:35:39 2009-04-16 09:35:39 dciwsgvx.com A 65.60.34.186

AS      | IP               | AS Name
32475   | 65.60.34.186     | SINGLEHOP-INC - SingleHop

[...]

> e.g.
> kolpinik.com.           60      IN      A       174.133.5.26
> ;; AUTHORITY SECTION:
> kolpinik.com.           60      IN      NS      ns3.everydns.net.
> kolpinik.com.           60      IN      NS      ns4.everydns.net.
> kolpinik.com.           60      IN      NS      ns2.everydns.net.
> kolpinik.com.           60      IN      NS      ns1.everydns.net.

moved from 174.133.5.26 to 65.60.34.90

2009-04-15 15:45:37 2009-04-16 01:00:35 kolpinik.com A 65.60.34.90
2009-04-16 01:00:37 2009-04-16 09:19:22 mikorki.com A 65.60.34.90
2009-04-16 01:01:38 2009-04-16 09:20:27 pibidu.com A 65.60.34.90
2009-04-15 15:46:02 2009-04-16 10:11:44 yfesyrpa.net A 65.60.34.90

AS      | IP               | AS Name
32475   | 65.60.34.90      | SINGLEHOP-INC - SingleHop

PEER_AS | IP               | AS Name
6461    | 65.60.34.90      | MFNX MFN - Metromedia Fiber Network
23352   | 65.60.34.90      | SERVERCENTRAL - Server Central Network

Any chance to null route the mentioned domains/IPs?

-- 
Tom Fischer
BFK edv-consulting GmbH                  tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list